[GHSA-mq77-rv97-285m] Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name

[pwnpanda]

Updates

• CVSS v4
• Severity

Comments
The result of this vulnerability when exploited is full system compromise, with ability to move laterally further into the network. You also obtain code execution in the victims browser, as with traditional XSS. I did not include the CVSS score in the initial report due to having a separate vulnerability rating system as part of the report. Apologies.

[github]

Hi there @bramkragten! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[helixplant]

Hi @pwnpanda,
Thank you for providing additional information! However, there are some concerns about the proposed score where the increase from Medium to Critical severity presents a substantial escalation. Additionally, the proposed CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H appears to clash with some of the information provided in the advisory.

It seems that the direct impact affects user information and integrity within the browser itself, and direct user interaction is required for exploitation.

Understanding this impact I would suggest an updated severity of High through CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N.

I would love to discuss this more with you and hear your thoughts on using CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N instead, or any specific evidence or attack scenarios that would justify the higher impact ratings. If there are exploitation paths I've overlooked that enable system wide compromise or pivot capabilities, please share those details so we can best represent the severity and vulnerability!

[pwnpanda]

Hi @helixplant and thank you for your review.

I agree that user interaction is required. I did not consider that, as the behavior will likely naturally occur during normal use, but you are 100% correct.

I do not understand why you have put Availability at None? It is trivial, once exploited, to take the system down. Remote Code Execution (RCE) means wiping the device is as easy as sudo rm -rf /. This leads to complete loss of availability. Another option to achieve the same result, is to delete all users except one you create, locking all legitimate users out of the device.

While I do not quite understand the use of Subsequent system impact metrics, my interpretation is that it is used to evaluate if you can use this vulnerability to allow for lateral movement affecting the CIA triad.
My interpretation is that the initial attack vector gives complete control over the front end user (aka. affecting all three facets of the CIA triad completely) and the browser.
The subsequent system will then be other users or the host itself. Since, as discussed, moving from account takeover to RCE is available as a feature in the system and intended behavior, you get a complete compromise of the subsequent system as well, and can even do network enumeration and exploitation towards other devices on the same network, from the compromised device.

As such, my suggestion would be this CVSS score: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

I am new to the Subsequent system impact metrics, and would love to get more insight into how it is used. I do understand that you are hesitant to escalate the finding to Critical (I set it as High in my initial evaluation), but unfortunately CVSS does not seem to capture the relevant aspect of the exploit leading to that evaluation.

My reason was that the requirements you have to meet, in order to exploit the bug are substantial! (Compromised third party account for the victim, compromised third party service, or social engineering to deliver the malicious payload)
Unfortunately, I cannot find a relevant vector in CVSS, except maybe privileges required, and even that does not fit based on the description on Github or FIRST.

Please share your opinion and evaluation. If we can get it to a "High" severity, with correct impact assessment, that would be the best outcome!
I look forward to hearing from you!

[helixplant]

Thank you @pwnpanda for the further clarification! I see the reasoning behind the increased scoring and I understand any hesitation to lower the C.I.A metrics, along with the need for Availability scores. With CVSS 4.0 there is a separate exploit maturity threat metric we can use since you provided a PoC in the advisory. This makes the score reach a severity of High rather than Critical with the following score: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P, where E:P (representing the existence of a PoC) has been added to your most recently proposed score of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.

If this works with you I am good updating the CVE and the Advisory to better reflect the scoring.

[pwnpanda]

Hi again @helixplant,

That sounds perfect! Please go ahead.
Thank you for your time and for the help with finding a good solution, I appreciate it!

[advisory-database]

Hi @pwnpanda! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!