CVE-2024-42467 in openhab-webui
Summary
by MITRE • 08/12/2024
openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, the proxy endpoint of openHAB's CometVisu add-on can be accessed without authentication. This proxy-feature can be exploited as Server-Side Request Forgery (SSRF) to induce GET HTTP requests to internal-only servers, in case openHAB is exposed in a non-private network. Furthermore, this proxy-feature can also be exploited as a Cross-Site Scripting (XSS) vulnerability, as an attacker is able to re-route a request to their server and return a page with malicious JavaScript code. Since the browser receives this data directly from the openHAB CometVisu UI, this JavaScript code will be executed with the origin of the CometVisu UI. This allows an attacker to exploit call endpoints on an openHAB server even if the openHAB server is located in a private network. (e.g. by sending an openHAB admin a link that proxies malicious JavaScript.) This issue may lead up to Remote Code Execution (RCE) when chained with other vulnerabilities. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/15/2025
The vulnerability identified as CVE-2024-42467 affects the CometVisu add-on within openHAB, an open-source home automation platform that provides comprehensive visualization capabilities for smart home environments. This security flaw exists in versions prior to 4.2.1 and represents a critical authentication bypass issue within the proxy endpoint functionality of the visualization component. The vulnerability stems from insufficient access controls that allow unauthorized users to exploit the proxy feature without proper authentication, creating a significant attack surface for malicious actors who can leverage this weakness to compromise the integrity and confidentiality of home automation systems.
The technical implementation of this vulnerability manifests through two primary attack vectors that compound the security risk. The first vector is Server-Side Request Forgery (SSRF) which occurs when the unauthenticated proxy endpoint accepts requests and forwards them to internal network resources. This allows attackers to make HTTP GET requests to servers that should normally be inaccessible from the external network, effectively bypassing network segmentation controls. The second vector involves Cross-Site Scripting (XSS) exploitation where attackers can redirect proxy requests to malicious servers hosting JavaScript payloads. When browsers receive these malicious scripts through the CometVisu UI, the code executes with the origin context of the legitimate UI, enabling attackers to perform actions against the openHAB server that would otherwise be restricted due to security policies.
The operational impact of this vulnerability extends beyond simple data exposure to potentially enable full system compromise. When combined with other vulnerabilities, the SSRF capability can lead to Remote Code Execution (RCE) scenarios, particularly when attackers can manipulate internal services that may have elevated privileges or access to sensitive system resources. The vulnerability affects environments where openHAB is deployed in non-private network configurations, making it particularly dangerous for home automation systems that may be exposed to the internet. This creates a significant risk for users who operate their home automation systems in cloud environments or public network configurations without proper firewall restrictions.
Security practitioners should recognize this vulnerability as a clear example of insufficient authentication controls and improper input validation, which aligns with CWE-285 (Improper Authorization) and CWE-79 (Cross-Site Scripting). The attack pattern follows established techniques documented in the MITRE ATT&CK framework under T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter), demonstrating how initial access through authentication bypass can escalate to full system compromise. Organizations should implement immediate mitigation strategies including upgrading to the patched version 4.2.1 of the CometVisu add-on, implementing network segmentation controls to restrict access to internal systems, and conducting thorough security assessments of all home automation deployments to identify similar vulnerabilities in related components. The vulnerability highlights the importance of securing all application endpoints, particularly those that function as proxies or gateways to internal resources, as these often become primary targets for attackers seeking to establish persistent access within network environments.