CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-45956
https://notcve.org/view.php?id=CVE-2023-45956
An issue discovered in Govee LED Strip v3.00.42 allows attackers to cause a denial of service via crafted Move and MoveWithOnoff commands. Un problema descubierto en Govee LED Strip v3.00.42 permite a los atacantes provocar una denegación de servicio mediante comandos Move y MoveWithOnoff manipulados. • https://github.com/IoT-Fuzz/IoT-Fuzz/blob/main/Govee%20LED%20Strip%20Vulnerability%20Report.pdf • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 18EXPL: 0CVE-2023-42189
https://notcve.org/view.php?id=CVE-2023-42189
Insecure Permissions vulnerability in Connectivity Standards Alliance Matter Official SDK v.1.1.0.0 , Nanoleaf Light strip v.3.5.10, Govee LED Strip v.3.00.42, switchBot Hub2 v.1.0-0.8, Phillips hue hub v.1.59.1959097030, and yeelight smart lamp v.1.12.69 allows a remote attacker to cause a denial of service via a crafted script to the KeySetRemove function. Vulnerabilidad de permisos inseguros en Connectivity Standards Alliance Matter Official SDK v.1.1.0.0, Nanoleaf Light strip v.3.5.10, Govee LED Strip v.3.00.42, switchBot Hub2 v.1.0-0.8, Phillips hue hub v.1.59.1959097030 y yeelight smart lamp v.1.12.69 permite que un atacante remoto provoque una denegación de servicio mediante un script manipulado para la función KeySetRemove. • https://github.com/IoT-Fuzz/IoT-Fuzz/blob/main/Remove%20Key%20Set%20Vulnerability%20Report.pdf https://github.com/project-chip/connectedhomeip/issues/28518 https://github.com/project-chip/connectedhomeip/issues/28679 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3612 – Unprotected WebView access in Govee Home App
https://notcve.org/view.php?id=CVE-2023-3612
Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content. La aplicación Govee Home tiene acceso desprotegido al componente WebView que puede abrir cualquier aplicación en el dispositivo. Al enviar una URL a un sitio manipulado, el atacante puede ejecutar JavaScript en el contexto de WebView o robar datos confidenciales del usuario mostrando contenido de phishing. • https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10 • CWE-749: Exposed Dangerous Method or Function •