<p>Upgrade <code>esphome</code> to version 2024.3.0 or higher.</p>

Cross-Site Request Forgery (CSRF) Affecting esphome package, versions [2023.12.9, 2024.3.0)

Snyk CVSS

Attack Complexity Low

User Interaction Required

Confidentiality High

Integrity High

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 0.04% (9^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-ESPHOME-6476911
published 22 Mar 2024
disclosed 21 Mar 2024
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 21 Mar 2024

CVE-2024-29019 Open this link in a new tab CWE-352 Open this link in a new tab

How to fix?

Upgrade esphome to version 2024.3.0 or higher.

Overview

esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) due to insufficient protection for API endpoints in the dashboard component. An attacker can perform operations on configuration files (create, edit, delete) on behalf of a logged user by directing them to visit a maliciously crafted web page. This effectively bypasses authentication for API calls. The vulnerability can be further exploited in conjunction with another issue to achieve complete account takeover.

PoC

<script>
document.forms[0].submit();
</script>

<script>
</script>

References

GitHub Commit