CVE-2020-10274

The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot's database.

7.1 high severity
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Created
24/06/2020

Operating Systems 10

MI

MIR100 Firmware

by Mobile-Industrial-Robots

3 Versions

4 months ago

MI

MIR200 Firmware

by Mobile-Industrial-Robots

3 Versions

4 months ago

MI

MIR250 Firmware

by Mobile-Industrial-Robots

3 Versions

4 months ago

MI

MIR500 Firmware

by Mobile-Industrial-Robots

3 Versions

4 months ago

MI

MIR1000 Firmware

by Mobile-Industrial-Robots

3 Versions

4 months ago

ER

ER200 Firmware

by Easyrobotics

2 Versions

4 months ago

Er

Er-Lite Firmware

by Easyrobotics

2 Versions

4 months ago

Er

Er-Flex Firmware

by Easyrobotics

2 Versions

4 months ago

Er

Er-One Firmware

by Easyrobotics

2 Versions

4 months ago

UV

UVD Firmware

by Uvd-Robots

1 Version

4 months ago

Vulnerability Categories 1

Information Exposure

Advisory Links 1

https://github.com/aliasrobotics/RVD/issues/2556

http://www.vicarius.io is owned and operated by Vicarius Ltd. (the “Company”). All information contained on the Website is purely for informational, and educational purposes and should be independently verified and confirmed. Vicarius does not accept any liability for any loss or damage whatsoever caused in reliance upon such information or services. No statements or information presented in any form by Vicarius is intended as fact, and you agree that you will not consider the statements or information presented on the Website as fact or as a guarantee of performance.