CVE-2023-3612

Published: Sep 11, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content.

Affected (2)

Products: Govee: Home

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Govee Home	Before 5.8.01
Govee Home	Before 5.8.01

Related CWEs

Exposed Dangerous Method or Function

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

References (2)

https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10

Source: incident@nbu.gov.sk

Third Party Advisory

https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.