CVE-2023-3612 HIGH

CVE-2023-3612: Unprotected WebView access in Govee Home App

Vendor Govee
Product Govee Home
Weakness CWE-749
Published September 11, 2023
Last update September 26, 2024

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content.

Key dates

02Disclosure timeline

September 11, 2023 CVE published
September 26, 2024 Record updated