← Back to CVEs

CVE-2023-4617

CRITICAL

10.0

Description

Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values. This issue affects Govee Home applications on Android and iOS in versions before 5.9.

CVE Details

CVSS v3.1 Score10.0

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published12/19/2024

Last Modified12/19/2024

Sourcenvd

Honeypot Sightings0

Weaknesses (CWE)

CWE-863

References

https://apps.apple.com/us/app/govee-home/id1395696823(cvd@cert.pl)

https://cert.pl/en/posts/2024/12/CVE-2023-4617/(cvd@cert.pl)

https://cert.pl/posts/2024/12/CVE-2023-4617/(cvd@cert.pl)

https://play.google.com/store/apps/details?id=com.govee.home(cvd@cert.pl)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.