ha-mcp OAuth Consent Form Cross-Site Scripting Vulnerability
Vulnerability
A cross-site scripting vulnerability has been identified in ha-mcp versions through 6.7.2, specifically within the OAuth consent form. The issue arises because user-controlled parameters are rendered using Python f-strings without proper HTML escaping. This vulnerability affects only users in beta OAuth mode (ha-mcp-oauth), which requires explicit configuration and is not part of the standard setup. An attacker who can access the OAuth endpoint and persuade the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser.
Impact
Exploitation allows for cross-site scripting, where an attacker could execute JavaScript in the context of the server operator's browser. This could lead to the exfiltration of sensitive data, such as the Home Assistant Long-Lived Access Token.
Remediation
Users can upgrade to ha-mcp version 7.0.0 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.