CVE-2023-44385

HIGH

Home Assistant Companion < 2023.7 - Client-Side Request Forgery via Malicious Links

Title source: llm
STIX 2.1

Description

The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote code execution (RCE). Version 2023.7 addresses this issue and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-161.

References (1)

Core 1
Core References

Scores

CVSS v3 8.6
EPSS 0.0028
EPSS Percentile 20.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-352
Status published
Products (1)
home-assistant/home_assistant_companion < 2023.7 (2 CPE variants)
Published Oct 19, 2023
Tracked Since Feb 18, 2026