CVE-2023-41898 HIGH

CVE-2023-41898: Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for Android

Vendor Home-Assistant
Product core
Weakness CWE-345
Published October 19, 2023
Last update September 12, 2024

CVSS base score

8.6/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`.

Key dates

02Disclosure timeline

October 19, 2023 CVE published
September 12, 2024 Record updated