漏洞标题
在 `MyActivity.kt` 中加载任意 URL 的 Android WebView 实现
漏洞描述信息
在Home Assistant Companion for Android的`MyActivity.kt`中的Android WebView中任意URL加载
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
漏洞标题
Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for Android
漏洞描述信息
Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`.
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
漏洞类别
对数据真实性的验证不充分
漏洞标题
Home Assistant 代码注入漏洞
漏洞描述信息
Home Assistant是一套开源的家庭自动化管理系统。该系统主要用于控制家庭自动化设备。 Home Assistant 2023.9.2之前版本存在安全漏洞,该漏洞源于WebView中存在任意URL加载问题。攻击者可利用该漏洞进行任意JavaScript执行、有限的本地代码执行和凭据盗窃等操作。
CVSS信息
N/A
漏洞类别
代码注入