CVE-2020-10275

The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a USERNAME and a PASSWORD, the token string is generated directly with base64(USERNAME:sha256(PASSWORD)). An unauthorized attacker inside the network can use the default credentials to compute the token and interact with the REST API to exfiltrate, infiltrate or delete data.

9.8 critical severity
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Created
24/06/2020

Operating Systems 10

MI

MIR100 Firmware

by Mobile-Industrial-Robots

3 Versions

4 months ago

MI

MIR200 Firmware

by Mobile-Industrial-Robots

3 Versions

4 months ago

MI

MIR250 Firmware

by Mobile-Industrial-Robots

3 Versions

4 months ago

MI

MIR500 Firmware

by Mobile-Industrial-Robots

3 Versions

4 months ago

MI

MIR1000 Firmware

by Mobile-Industrial-Robots

3 Versions

4 months ago

ER

ER200 Firmware

by Easyrobotics

2 Versions

4 months ago

Er

Er-Lite Firmware

by Easyrobotics

2 Versions

4 months ago

Er

Er-Flex Firmware

by Easyrobotics

2 Versions

4 months ago

Er

Er-One Firmware

by Easyrobotics

2 Versions

4 months ago

UV

UVD Firmware

by Uvd-Robots

1 Version

4 months ago

Vulnerability Categories 1

Inadequate Encryption Strength

Advisory Links 1

https://github.com/aliasrobotics/RVD/issues/2565

http://www.vicarius.io is owned and operated by Vicarius Ltd. (the “Company”). All information contained on the Website is purely for informational, and educational purposes and should be independently verified and confirmed. Vicarius does not accept any liability for any loss or damage whatsoever caused in reliance upon such information or services. No statements or information presented in any form by Vicarius is intended as fact, and you agree that you will not consider the statements or information presented on the Website as fact or as a guarantee of performance.