{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27287", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-22T18:08:38.873Z", "datePublished": "2024-03-06T18:19:48.117Z", "dateUpdated": "2024-08-26T14:04:49.512Z"}, "containers": {"cna": {"title": "ESPHome vulnerable to stored Cross-site Scripting in edit configuration file API", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5"}, {"name": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455", "tags": ["x_refsource_MISC"], "url": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455"}], "affected": [{"vendor": "esphome", "product": "esphome", "versions": [{"version": ">= 2023.12.9, < 2024.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-06T18:19:48.117Z"}, "descriptions": [{"lang": "en", "value": "ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards.\nIn addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue.\n"}], "source": {"advisory": "GHSA-9p43-hj5j-96h5", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:59.920Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5"}, {"name": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455"}]}, {"affected": [{"vendor": "esphome", "product": "esphome", "cpes": ["cpe:2.3:a:esphome:esphome:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2023.12.9", "status": "affected", "lessThan": "2024.2.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-06T20:30:07.008805Z", "id": "CVE-2024-27287", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T14:04:49.512Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5", "name": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455", "name": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:59.920Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27287", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-06T20:30:07.008805Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:esphome:esphome:*:*:*:*:*:*:*:*"], "vendor": "esphome", "product": "esphome", "versions": [{"status": "affected", "version": "2023.12.9", "lessThan": "2024.2.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T14:04:45.642Z"}}], "cna": {"title": "ESPHome vulnerable to stored Cross-site Scripting in edit configuration file API", "source": {"advisory": "GHSA-9p43-hj5j-96h5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "esphome", "product": "esphome", "versions": [{"status": "affected", "version": ">= 2023.12.9, < 2024.2.2"}]}], "references": [{"url": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5", "name": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455", "name": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards.\nIn addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-06T18:19:48.117Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27287", "state": "PUBLISHED", "dateUpdated": "2024-08-26T14:04:49.512Z", "dateReserved": "2024-02-22T18:08:38.873Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-06T18:19:48.117Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:esphome:esphome:*:*:*:*:*:*:*:*", "matchCriteriaId": "631EA648-9548-4581-9188-43572B5DB0A8", "versionEndExcluding": "2024.2.2", "versionStartIncluding": "2023.12.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards.\nIn addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue.\n"}, {"lang": "es", "value": "ESPHome es un sistema para controlar su ESP8266/ESP32 para sistemas de dom\u00f3tica. A partir de la versi\u00f3n 2023.12.9 y antes de la versi\u00f3n 2024.2.2, la edici\u00f3n del archivo de configuraci\u00f3n API en el componente del panel de ESPHome versi\u00f3n 2023.12.9 (instalaci\u00f3n de l\u00ednea de comando y complemento Home Assistant) proporciona datos no desinfectados con `Tipo de contenido: texto/ HTML; charset=UTF-8`, lo que permite a un usuario autenticado remoto inyectar secuencias de comandos web arbitrarias y extraer cookies de sesi\u00f3n mediante secuencias de comandos entre sitios. Es posible que un usuario autenticado malicioso inyecte Javascript arbitrario en archivos de configuraci\u00f3n mediante una solicitud POST al punto final /edit; el par\u00e1metro de configuraci\u00f3n permite especificar el archivo a escribir. Para activar la vulnerabilidad XSS, la v\u00edctima debe visitar la p\u00e1gina ` /edit?configuration=[archivo xss]`. Al abusar de esta vulnerabilidad, un actor malintencionado podr\u00eda realizar operaciones en el tablero en nombre de un usuario registrado, acceder a informaci\u00f3n confidencial, crear, editar y eliminar archivos de configuraci\u00f3n y actualizar firmware en tableros administrados. Adem\u00e1s de esto, las cookies no est\u00e1n protegidas correctamente, lo que permite la filtraci\u00f3n de los valores de las cookies de sesi\u00f3n. La versi\u00f3n 2024.2.2 contiene un parche para este problema."}], "id": "CVE-2024-27287", "lastModified": "2025-12-03T21:06:16.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-06T19:15:07.723", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Technical Description"], "url": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory", "Technical Description"], "url": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-07-13T11:06:23.187258+00:00", "updated": "2025-07-13T11:06:23.187317+00:00", "vendors": ["esphome", "esphome$PRODUCT$esphome"]}