PT-2019-15737 · Signify Philips · Signify Philips Taolight Smart Wi-Fi Wiz Connected Led Bulb

Eric Pendergrass

Published

2019-11-14

Updated

2020-08-24

CVE-2019-18980

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb version 9290022656

Description The issue allows remote users to control the bulb's operation due to an unprotected API. This enables anyone with network access to the bulb to turn it on or off, or change its color or brightness remotely, as there is no authentication or encryption required to use the control API.

Recommendations For Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb version 9290022656, as a temporary workaround, consider restricting network access to the bulb until a patch is available.

Exploit

Fix

Missing Encryption of Sensitive Data

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-311CWE-306

Related Identifiers

CVE-2019-18980

Affected Products

Signify Philips Taolight Smart Wi-Fi Wiz Connected Led Bulb

PT-2019-15737 · Signify Philips · Signify Philips Taolight Smart Wi-Fi Wiz Connected Led Bulb

CVE-2019-18980

Weakness Enumeration

Related Identifiers

Affected Products

References · 2