CVE-2023-4617

EUVD-2023-54470
Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values. 
This issue affects Govee Home applications on Android and iOS in versions before 5.9.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CERT-PLCNA
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
Common Weakness Enumeration
References
https://apps.apple.com/us/app/govee-home/id1395696823
https://cert.pl/en/posts/2024/12/CVE-2023-4617/
https://cert.pl/posts/2024/12/CVE-2023-4617/
https://play.google.com/store/apps/details?id=com.govee.home