CVSS 3.1 Score 6.5 of 10 (medium)


Published Mar 6, 2024


CVE-2024-27287 is a vulnerability found in ESPHome, a system used for controlling ESP8266/ESP32 devices in home automation systems. The vulnerability exists in versions prior to 2024.2.2, specifically in the API configuration file editing component of ESPHome version 2023.12.9. It allows a remote authenticated user to inject arbitrary web script and exfiltrate session cookies through a cross-site scripting (XSS) attack. To exploit this vulnerability, the attacker needs to send a POST request to the /edit endpoint with a malicious JavaScript file specified in the configuration parameter. This could lead to unauthorized operations on the dashboard, access to sensitive information, manipulation of configuration files, and firmware flashing. The vulnerability has been rated as medium severity with high privileges required and impacts integrity and confidentiality.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-27287 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options