Tim Schughart

**Name of the Vulnerable Software and Affected Versions** Bose Soundtouch app version 18.1.4 **Description** An issue in the Bose Soundtouch app allows for the execution of JavaScript on a registered Bose User Account if a speaker has been connected to the app. This is possible due to the lack of frontend input validation of the device name, which can be exploited by using a malicious device name. **Recommendations** For Bose Soundtouch app version 18.1.4, consider restricting the use of the device name feature until a patch is available to prevent potential JavaScript execution on the registered Bose User Account. At the moment, there is no information about a newer version that contains a fix for this issue.