CVE-2023-4617

Name of the Vulnerable Software and Affected Versions Govee Home versions prior to 5.9

Description The issue is related to an incorrect authorization vulnerability in the HTTP POST method in the Govee Home application on Android and iOS. This allows a remote attacker to control devices owned by other users via changing the device, sku, and type fields' values.

Recommendations For versions prior to 5.9, update to version 5.9 to mitigate the risk. As a temporary workaround, consider restricting access to the HTTP POST method until the update is applied. Avoid using the device, sku, and type fields in the affected API endpoint until the issue is resolved.