CVE-2023-41899 (home-assistant)

Home assistant is an open source home automation. In affected versions the `hassio.addon_stdin` is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through GHSA-h2jp-7grc-9xpp) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. …

api api endpoints assistant attacker automation calling control cve data endpoints exploit forgery home home assistant home automation may open source partial request rest rest api server server-side request forgery service vulnerable