CVE-2023-4617
CRITICALGovee Home < 5.9 - Unauthenticated Device Control via HTTP POST Parameter Manipulation
Title source: llmDescription
Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values. This issue affects Govee Home applications on Android and iOS in versions before 5.9.
References (4)
Core 4
Core References
Various Sources third-party-advisory
https://cert.pl/en/posts/2024/12/CVE-2023-4617/
Various Sources third-party-advisory
https://cert.pl/posts/2024/12/CVE-2023-4617/
Various Sources product
https://play.google.com/store/apps/details?id=com.govee.home
Various Sources product
https://apps.apple.com/us/app/govee-home/id1395696823
Scores
CVSS v3
10.0
EPSS
0.0057
EPSS Percentile
42.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (1)
Govee/Govee Home
< 5.9
Published
Dec 19, 2024
Tracked Since
Feb 18, 2026