CVE-2023-41898

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-41898

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41898.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-41898

Aliases

GHSA-jvpm-q3hq-86rg

Published

2023-10-19T22:08:40.783Z

Modified

2026-04-10T05:01:22.541728Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for Android

Details

Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-142.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41898.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-345",
        "CWE-94"
    ]
}

References

Affected packages

Git / github.com/home-assistant/core

Affected ranges

Type: GIT
Repo: https://github.com/home-assistant/core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c6ed2350106fc5e89a0bb03343446bea797960c9

Affected versions

0.*

0.103.0

0.103.0b0

0.103.0b1

0.103.1

0.103.2

0.103.3

0.103.4

0.103.5

0.103.6

0.104.0

0.104.1

0.104.2

0.104.3

0.105.0

0.105.1

0.105.2

0.105.3

0.105.4

0.105.5

0.106.0

0.106.1

0.106.2

0.106.3

0.106.4

0.106.5

0.106.6

0.107.0

0.107.1

0.107.2

0.107.3

0.107.4

0.107.5

0.107.6

0.107.7

0.108.0

0.108.1

0.108.2

0.108.3

0.108.4

0.108.5

0.108.6

0.108.7

0.108.8

0.108.9

0.109.0

0.109.1

0.109.2

0.109.3

0.109.4

0.109.5

0.109.6

0.110.0

0.110.1

0.110.2

0.110.3

0.110.4

0.110.5

0.110.6

0.110.7

0.111.0

0.111.1

0.111.2

0.111.3

0.111.4

0.112.0

0.112.1

0.112.2

0.112.3

0.112.4

0.112.5

0.113.0

0.113.1

0.113.2

0.113.3

0.114.0

0.114.1

0.114.2

0.114.3

0.114.4

0.115.0

0.115.1

0.115.2

0.115.3

0.115.4

0.115.5

0.115.6

0.116.0

0.116.1

0.116.2

0.116.3

0.116.4

0.117.0

0.117.1

0.117.2

0.117.3

0.117.4

0.117.5

0.117.6

0.118.0

0.118.1

0.118.2

0.118.3

0.118.4

0.118.5

0.28

0.7.6

0.81.1

2020.*

2020.12.0

2020.12.1

2020.12.2

2021.*

2021.1.0

2021.1.1

2021.1.2

2021.1.3

2021.1.4

2021.1.5

2021.10.0

2021.10.1

2021.10.2

2021.10.3

2021.10.4

2021.10.5

2021.10.6

2021.10.7

2021.11.0

2021.11.1

2021.11.2

2021.11.3

2021.11.4

2021.11.5

2021.12.0

2021.12.1

2021.12.10

2021.12.2

2021.12.3

2021.12.4

2021.12.5

2021.12.6

2021.12.7

2021.12.8

2021.12.9

2021.2.0

2021.2.1

2021.2.2

2021.2.3

2021.3.0

2021.3.1

2021.3.2

2021.3.3

2021.3.4

2021.4.0

2021.4.1

2021.4.2

2021.4.3

2021.4.4

2021.4.5

2021.4.6

2021.5.0

2021.5.1

2021.5.2

2021.5.3

2021.5.4

2021.5.5

2021.6.0

2021.6.1

2021.6.2

2021.6.3

2021.6.4

2021.6.5

2021.6.6

2021.7.0

2021.7.1

2021.7.2

2021.7.3

2021.7.4

2021.8.0

2021.8.1

2021.8.2

2021.8.3

2021.8.4

2021.8.5

2021.8.6

2021.8.7

2021.8.8

2021.9.0

2021.9.1

2021.9.2

2021.9.3

2021.9.4

2021.9.5

2021.9.6

2021.9.7

2022.*

2022.10.0

2022.10.1

2022.10.2

2022.10.3

2022.10.4

2022.10.5

2022.11.0

2022.11.1

2022.11.2

2022.11.3

2022.11.4

2022.11.5

2022.12.0

2022.12.1

2022.12.2

2022.12.3

2022.12.4

2022.12.5

2022.12.6

2022.12.7

2022.12.8

2022.12.9

2022.2.0

2022.2.1

2022.2.2

2022.2.3

2022.2.4

2022.2.5

2022.2.6

2022.2.7

2022.2.8

2022.2.9

2022.3.0

2022.3.1

2022.3.2

2022.3.3

2022.3.4

2022.3.5

2022.3.6

2022.3.7

2022.3.8

2022.4.0

2022.4.1

2022.4.2

2022.4.3

2022.4.4

2022.4.5

2022.4.6

2022.4.7

2022.5.0

2022.5.1

2022.5.2

2022.5.3

2022.5.4

2022.5.5

2022.6.0

2022.6.1

2022.6.2

2022.6.3

2022.6.4

2022.6.5

2022.6.6

2022.6.7

2022.7.0

2022.7.1

2022.7.2

2022.7.3

2022.7.4

2022.7.5

2022.7.6

2022.7.7

2022.8.0

2022.8.1

2022.8.2

2022.8.3

2022.8.4

2022.8.5

2022.8.6

2022.8.7

2022.9.0

2022.9.1

2022.9.2

2022.9.3

2022.9.4

2022.9.5

2022.9.6

2022.9.7

2023.*

2023.1.0

2023.1.1

2023.1.2

2023.1.3

2023.1.4

2023.1.5

2023.1.6

2023.1.7

2023.2.0

2023.2.1

2023.2.2

2023.2.3

2023.2.4

2023.2.5

2023.3.0

2023.3.1

2023.3.2

2023.3.3

2023.3.4

2023.3.5

2023.3.6

2023.4.0

2023.4.1

2023.4.2

2023.4.3

2023.4.4

2023.4.5

2023.4.6

2023.5.0

2023.5.1

2023.5.2

2023.5.3

2023.5.4

2023.6.0

2023.6.1

2023.6.2

2023.6.3

2023.7.0

2023.7.1

2023.7.2

2023.7.3

2023.8.0

2023.8.1

2023.8.2

2023.8.3

2023.8.4

2023.9.0

2023.9.1

Other

Last-Python2-release

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41898.json"