Unprotected WebView access in Govee Home App
CVE-2023-3612

8.2HIGH

Key Information:

Vendor: Govee
Status: Govee Home
Vendor: CVE Published:; 11 September 2023

What is CVE-2023-3612?

A significant vulnerability exists in the Govee Home app that allows unauthorized access to its WebView component. This can be opened by any app on the user's device, creating a risk for data security. By manipulating the WebView, attackers can redirect users to malicious websites, where they may execute JavaScript to extract sensitive information or present phishing content to unsuspecting users. This flaw poses severe implications for user privacy and security, as attackers can exploit it to gather personal data or deceive users.

Affected Version(s)

Govee Home Android 5.7.03 < 5.8.01

References

https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varova...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 11, 2023
Vulnerability Reserved
Jul 11, 2023

Credit

Jan Adamski (johnny1337.pl; [email protected])

JSON