cross-posted from: https://sh.itjust.works/post/61250326
A crafted MeshCore node name could compromise any Home Assistant instance running meshcore-card as soon as someone viewed a dashboard with that card.
The same XSS (cross-site scripting) pattern appears to be present in MeshCore-Home-Assistant-Panel-v2 and its HACS variant
To be abundantly clear, and the post goes into detail why, this is not a bug in MeshCore but rather in how web dashboards are not properly sanitizing untrusted input. In this case, the untrusted input is via a field that any malicious MeshCore node could send.
Well worth a read and a follow on their Mastodon.
So hey uh… Meshtastic is pretty cool
This has nothing to do with meshcore as a protocol, the problem is that some HA addons don’t treat untrusted input properly. The malicious name could have been transmitted via meshtastic or carrier pigeon, if another addon did the same dumb thing.
