Vulnerability Details : CVE-2020-11922
An issue was discovered in WiZ Colors A60 1.14.0. The device sends unnecessary information to the cloud controller server. Although this information is sent encrypted and has low risk in isolation, it decreases the privacy of the end user. The information sent includes the local IP address being used and the SSID of the Wi-Fi network the device is connected to. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.)
Products affected by CVE-2020-11922
- cpe:2.3:o:wizconnected:a60_colors_firmware:1.14.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11922
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 36 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11922
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.3
|
LOW | AV:A/AC:L/Au:N/C:P/I:N/A:N |
6.5
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2020-11922
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11922
-
https://www.eurofins-cybersecurity.com/news/connected-devices-wiz-smart-lightbulbs/
WiZ Smart Lightbulbs: Can a Lightbulb be Smart and Secure?Exploit;Third Party Advisory
-
https://cwe.mitre.org/data/definitions/201.html
CWE - CWE-201: Insertion of Sensitive Information Into Sent Data (4.8)Third Party Advisory
-
http://seclists.org/fulldisclosure/2024/Jul/14
Full Disclosure: Bunch of IoT CVEs
Jump to