CVE-2023-44385 HIGH

CVE-2023-44385: Client-Side Request Forgery in Home Assistant iOS/macOS native Apps

Vendor Home-Assistant
Product core
Weakness CWE-352 · CSRF
Published October 19, 2023
Last update September 12, 2024
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote code execution (RCE). Version 2023.7 addresses this issue and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-161.

Key dates

02Disclosure timeline

October 19, 2023 CVE published
September 12, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-62148 WordPress Robots.txt rewrite plugin <= 1.6.1 - Cross Site Request Forgery (CSRF) vulnerability CVE-2023-22457 org.xwiki.contrib:application-ckeditor-ui vulnerable to Remote Code Execution via Cross-Site Request Forgery CVE-2025-43835 WordPress wp-cyr-cho plugin <= 0.1 - Cross Site Request Forgery (CSRF) vulnerability CVE-2023-27430 WordPress Mass Delete Unused Tags Plugin <= 2.0.0 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2023-31089 WordPress Video XML Sitemap Generator Plugin <= 1.0.0 is vulnerable to Cross Site Request Forgery (CSRF)