CVE-2021-47942
EUVD-2021-3483816.05.2026, 16:16
Home Assistant Community Store (HACS) prior to 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| hacs | home_assistant_community_store | 𝑥 < 1.10.0 |
𝑥
= Vulnerable software versions