Home-Assistant: Security Vulnerabilities
An information leak in Nabu Casa Home Assistant Operating System and Home Assistant Supervised 2022.03 allows a DNS operator to gain knowledge about internal network resources via the hardcoded DNS resolver configuration.
CVSS Score
7.5
EPSS Score
0.018
Published
2022-03-10
Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks against custom integrations. NOTE: the vendor's perspective is that the vulnerability itself is in custom integrations written by third parties, not in Home Assistant; however, Home Assistant does have a security update that is worthwhile in addressing this situation
CVSS Score
5.3
EPSS Score
0.004
Published
2021-01-26
Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py.
CVSS Score
7.5
EPSS Score
0.011
Published
2019-09-23
In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markdown text, aka XSS.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-11-10
Page 2