Evoko Home 1.31 devices provide different error messages for failed login requests depending on whether the username is valid.
5.3CVSS
5.4AI Score
0.001EPSS
Evoko Home devices 1.31 through 1.37 allow remote attackers to obtain sensitive information (such as usernames and password hashes) via a WebSocket request, as demonstrated by the sockjs/224/uf1psgff/websocket URI at a wss:// URL.
7.5CVSS
7.4AI Score
0.016EPSS
In multiple versions of Sophos Endpoint products for MacOS, a local attacker could execute arbitrary code with administrator privileges.
6.7CVSS
6.8AI Score
0.0004EPSS
Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content.
8.8CVSS
8.5AI Score
0.001EPSS