Cross-Site Request Forgery (CSRF) Affecting esphome package, versions [2023.12.9, 2024.3.0)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-ESPHOME-6476911
- published 22 Mar 2024
- disclosed 21 Mar 2024
- credit Unknown
Introduced: 21 Mar 2024
CVE-2024-29019 Open this link in a new tabHow to fix?
Upgrade esphome
to version 2024.3.0 or higher.
Overview
esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy.
Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) due to insufficient protection for API endpoints in the dashboard component. An attacker can perform operations on configuration files (create, edit, delete) on behalf of a logged user by directing them to visit a maliciously crafted web page. This effectively bypasses authentication for API calls. The vulnerability can be further exploited in conjunction with another issue to achieve complete account takeover.
PoC
<script>
document.forms[0].submit();
</script>
<script>
</script>