CVE-2018-15480

Name of the Vulnerable Software and Affected Versions myStrom WiFi Switch V1 versions prior to 2.66 myStrom WiFi Switch V2 versions prior to 3.80 myStrom WiFi Switch EU versions prior to 3.80 myStrom WiFi Bulb versions prior to 2.58 myStrom WiFi LED Strip versions prior to 3.80 myStrom WiFi Button versions prior to 2.73 myStrom WiFi Button Plus versions prior to 2.73

Description An issue was discovered in the cloud API, where a hidden parameter allowed an authenticated user to reconfigure the server URL for a device registered to their account. This, in combination with an insecure device registration, enabled an attacker to reconfigure a maliciously registered device to their own rogue replica of the API and issue commands, including firmware updates.

Recommendations For myStrom WiFi Switch V1 versions prior to 2.66, update to version 2.66 or later. For myStrom WiFi Switch V2 versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Switch EU versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Bulb versions prior to 2.58, update to version 2.58 or later. For myStrom WiFi LED Strip versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Button versions prior to 2.73, update to version 2.73 or later. For myStrom WiFi Button Plus versions prior to 2.73, update to version 2.73 or later.