Jan Adamski

**Name of the Vulnerable Software and Affected Versions** Govee devices (affected versions not specified) Govee H6056 - lamp firmware version 1.08.13 **Description** A flaw in the binding process of Govee’s cloud platform and devices allows a remote attacker to bind an existing, online Govee device to the attacker’s account, resulting in full control of the device and removal of the device from its legitimate owner’s account. The server-side API allows device association using identifiers: `device`, `sku`, `type`, and a client-computed `value`, which are not cryptographically bound to a secret originating from the device itself. This allows for trivial device takeover via identifier manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Govee Home versions prior to 5.9 **Description** The issue is related to an incorrect authorization vulnerability in the HTTP POST method in the Govee Home application on Android and iOS. This allows a remote attacker to control devices owned by other users via changing the `device`, `sku`, and `type` fields' values. **Recommendations** For versions prior to 5.9, update to version 5.9 to mitigate the risk. As a temporary workaround, consider restricting access to the HTTP POST method until the update is applied. Avoid using the `device`, `sku`, and `type` fields in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** eWeLink versions prior to 5.2.0 **Description** The issue is related to improper privilege management in the eWeLink application on Android and iOS, allowing for application lockscreen bypass. **Recommendations** For versions prior to 5.2.0, update to version 5.2.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Imou Life version 6.7.0 **Description** A session hijacking issue has been detected in the Imou Life application. This issue could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This could trigger phishing attacks. **Recommendations** For Imou Life version 6.7.0, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Govee Home app (affected versions not specified) **Description** The Govee Home app has unprotected access to the WebView component, which can be opened by any app on the device. By sending a URL to a specially crafted site, an attacker can execute JavaScript in the context of WebView or steal sensitive user data by displaying phishing content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.