SCA: security update for esphome (GHSA-9p43-hj5j-96h5)

high Tenable Self-Hosted Container Security Plugin ID 413380

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version
2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of
ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data
with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary
web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious
authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit
endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS
vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability
a malicious actor could perform operations on the dashboard on the behalf of a logged user, access
sensitive information, create, edit and delete configuration files and flash firmware on managed boards.
In addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie
values. Version 2024.2.2 contains a patch for this issue. (CVE-2024-27287)

See Also

https://github.com/advisories/GHSA-9p43-hj5j-96h5

Plugin Details

Severity: High

ID: 413380

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 57.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N

CVSS Score Source: CVE-2024-27287

CVSS v3

Risk Factor: High

Base Score: 8.7

Temporal Score: 7.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/6/2024

Vulnerability Publication Date: 3/6/2024

Reference Information

CVE: CVE-2024-27287

cwe: CWE-79