CVE-2024-27287

CVSS 3.1 Score 6.5 of 10 (medium)

Details

Published Mar 6, 2024
CWE ID 79

Summary

CVE-2024-27287 is a vulnerability found in ESPHome, a system used for controlling ESP8266/ESP32 devices in home automation systems. The vulnerability exists in versions prior to 2024.2.2, specifically in the API configuration file editing component of ESPHome version 2023.12.9. It allows a remote authenticated user to inject arbitrary web script and exfiltrate session cookies through a cross-site scripting (XSS) attack. To exploit this vulnerability, the attacker needs to send a POST request to the /edit endpoint with a malicious JavaScript file specified in the configuration parameter. This could lead to unauthorized operations on the dashboard, access to sensitive information, manipulation of configuration files, and firmware flashing. The vulnerability has been rated as medium severity with high privileges required and impacts integrity and confidentiality.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2024-27287 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future
  • Gain complete coverage of your cyber, third party, and physical attack surface
  • Proactively mitigate threats before they turn into costly attacks
  • Make fast, effective, data-driven decisions

Book your demo

Sign in

Back to Vulnerability Database