CVE-2023-41898

HIGH

Home-assistant Home Assistant Companion < 2023.9.2 - Code Injection

Title source: rule

Description

Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`.

References (1)

[Vendor Advisory] https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg

Scores

CVSS v3 8.6

EPSS 0.0010

EPSS Percentile 26.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-345 CWE-94

Status published

Products (1)

home-assistant/home_assistant_companion < 2023.9.2

Published Oct 19, 2023

Tracked Since Feb 18, 2026