Sign-up

ID

VAR-202104-0017


CVE

CVE-2020-11923


TITLE

WiZ Colors A60  Vulnerability of important information in plaintext

Trust: 0.8

sources: JVNDB: JVNDB-2020-016452

DESCRIPTION

An issue was discovered in WiZ Colors A60 1.14.0. API credentials are locally logged. WiZ Colors A60 Contains a vulnerability in the plaintext storage of important information.Information may be obtained. Applications use general logs to reflect all kind of information to the terminal. The WIZ application does also use logs, however instead of only generic information also API credentials are submitted to the android log. The information that is reflected in the logging can be used to perform authorised requests in behalf of the user and therefore controlling the lights just as the user can do using the application. In order to obtain the information access to the device logs is required. This can most easily be done via local access and also by other apps on rooted devices. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] WiZ Connected ------------------------------------------ [Affected Product Code Base] WiZ Colors A60 - 1.14.0 ------------------------------------------ [Affected Component] Wiz Android Application 1.15.0 ------------------------------------------ [Attack Type] Physical ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Physical access or local root access on the mobile phone is required in order to exploit this issue. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Wouter Wessels, Willem Westerhof, Jasper Nota, Jim Blankendaal Use CVE-2020-11923

Trust: 1.8

sources: NVD: CVE-2020-11923 // JVNDB: JVNDB-2020-016452 // VULMON: CVE-2020-11923 // PACKETSTORM: 179802

AFFECTED PRODUCTS

vendor:wizconnectedmodel:wizscope:eqversion:1.14.0

Trust: 1.0

vendor:wiz connected lightingmodel:colors a60scope:eqversion:wiz colors a60 firmware 1.14.0

Trust: 0.8

vendor:wiz connected lightingmodel:colors a60scope:eqversion: -

Trust: 0.8

vendor:wiz connected lightingmodel:colors a60scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-016452 // NVD: CVE-2020-11923

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-11923
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-11923
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202104-084
value: MEDIUM

Trust: 0.6

VULMON: CVE-2020-11923
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-11923
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2020-11923
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-11923
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2020-11923 // JVNDB: JVNDB-2020-016452 // CNNVD: CNNVD-202104-084 // NVD: CVE-2020-11923

PROBLEMTYPE DATA

problemtype:CWE-312

Trust: 1.0

problemtype:Plaintext storage of important information (CWE-312) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-016452 // NVD: CVE-2020-11923

THREAT TYPE

local

Trust: 0.7

sources: PACKETSTORM: 179802 // CNNVD: CNNVD-202104-084

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-084

PATCH

title:Top Pageurl:https://www.wizconnected.com/en/

Trust: 0.8

title:WiZ Connected WiZ Colors A60 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=146626

Trust: 0.6

sources: JVNDB: JVNDB-2020-016452 // CNNVD: CNNVD-202104-084

EXTERNAL IDS

db:NVDid:CVE-2020-11923

Trust: 2.7

db:JVNDBid:JVNDB-2020-016452

Trust: 0.8

db:CNNVDid:CNNVD-202104-084

Trust: 0.6

db:OTHERid:NONE

Trust: 0.1

db:VULMONid:CVE-2020-11923

Trust: 0.1

db:PACKETSTORMid:179802

Trust: 0.1

sources: OTHER: None // VULMON: CVE-2020-11923 // JVNDB: JVNDB-2020-016452 // PACKETSTORM: 179802 // CNNVD: CNNVD-202104-084 // NVD: CVE-2020-11923

REFERENCES

url:https://www.eurofins-cybersecurity.com/news/connected-devices-wiz-smart-lightbulbs/

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2020-11923

Trust: 1.5

url:http://seclists.org/fulldisclosure/2024/jul/14

Trust: 1.0

url:https://cwe.mitre.org/data/definitions/312.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2020-11923 // JVNDB: JVNDB-2020-016452 // PACKETSTORM: 179802 // CNNVD: CNNVD-202104-084 // NVD: CVE-2020-11923

CREDITS

Willem Westerhof | Secura

Trust: 0.1

sources: OTHER: None

SOURCES

db:OTHERid: -
db:VULMONid:CVE-2020-11923
db:JVNDBid:JVNDB-2020-016452
db:PACKETSTORMid:179802
db:CNNVDid:CNNVD-202104-084
db:NVDid:CVE-2020-11923

LAST UPDATE DATE

2025-01-30T20:29:02.868000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2020-11923date:2021-04-07T00:00:00
db:JVNDBid:JVNDB-2020-016452date:2021-12-08T02:32:00
db:CNNVDid:CNNVD-202104-084date:2021-04-08T00:00:00
db:NVDid:CVE-2020-11923date:2024-11-21T04:58:54.883

SOURCES RELEASE DATE

db:OTHERid: - date:2024-07-26T13:11:06
db:VULMONid:CVE-2020-11923date:2021-04-02T00:00:00
db:JVNDBid:JVNDB-2020-016452date:2021-12-08T00:00:00
db:PACKETSTORMid:179802date:2024-07-30T12:35:43
db:CNNVDid:CNNVD-202104-084date:2021-04-02T00:00:00
db:NVDid:CVE-2020-11923date:2021-04-02T19:15:18.553