Unprotected WebView Component in Govee Home App Allows for Remote Code Execution and Data Theft

Unprotected WebView Component in Govee Home App Allows for Remote Code Execution and Data Theft

CVE-2023-3612 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content.

Learn more about our Web App Pen Testing.