Cross Site Scripting (XSS)

home-assistant/core and home-assistant-js-websocket are vulnerable to XSS attack.The vulnerability occurs due to a loophole in Websocket authentication logic. The logic utilises a `state` parameter which contains `hassurl`. This mechanism enables attackers to spoof websocket responses and trigger XSS.Read More