GHSA-9p43-hj5j-96h5 · 深刻度: medium · エコシステム: pip — esphome vulnerable to stored Cross-site Scripting in edit configuration file API
ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards. In addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue.
総合評価: CVE-2024-27287 は中リスク(42.9/100)。CVSS 深刻度は中。悪用される可能性が高い(EPSS 0.68%、47 パーセンタイル) 推奨対応: 影響資産を整理し、修補計画に組み込んでください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.27% | 0.68% | +0.41% |
| 2 | 2026-04-22 | 0.19% | 0.27% | +0.07% |
| 3 | 2026-03-25 | — | 0.19% | — |
EPSS の全履歴 (全 11 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
1.2 | 5.2 | [email protected] |
| 8.7 | 3.1 | HIGH |
|
2.3 | 5.8 | [email protected] |
GHSA-9p43-hj5j-96h5 · 深刻度: medium · エコシステム: pip — esphome vulnerable to stored Cross-site Scripting in edit configuration file API
| URL | タグ |
|---|---|
| https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455 | Patch |
| https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5 | Technical Description Vendor Advisory |