CRITICAL🇬🇧 English

CVE-2020-10275

CVSS 9.8v3.1pub. 2020-06-24upd. 2024-11-21

The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a USERNAME and a PASSWORD, the token string is generated directly with base64(USERNAME:sha256(PASSWORD)). An unauthorized attacker inside the network can use the default credentials to compute the token and interact with the REST API to exfiltrate, infiltrate or delete data.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Easyrobotics Er200

    HW
    Easyrobotics
    wszystkie wersje
  • Easyrobotics Er200 Firmware

    OS
    Easyrobotics
    wszystkie wersje
  • Easyrobotics Er Flex

    HW
    Easyrobotics
    wszystkie wersje
  • Easyrobotics Er Flex Firmware

    OS
    Easyrobotics
    wszystkie wersje
  • Easyrobotics Er Lite

    HW
    Easyrobotics
    wszystkie wersje
  • Easyrobotics Er Lite Firmware

    OS
    Easyrobotics
    wszystkie wersje
  • Easyrobotics Er One

    HW
    Easyrobotics
    wszystkie wersje
  • Easyrobotics Er One Firmware

    OS
    Easyrobotics
    wszystkie wersje
  • Mobile Industrial Robots Mir100

    HW
    Mobile-Industrial-Robots
    wszystkie wersje
  • Mobile Industrial Robots Mir1000

    HW
    Mobile-Industrial-Robots
    wszystkie wersje
  • Mobile Industrial Robots Mir1000 Firmware

    OS
    Mobile-Industrial-Robots
    wszystkie wersje
  • Mobile Industrial Robots Mir100 Firmware

    OS
    Mobile-Industrial-Robots
    ≤ 2.8.1.1
  • Mobile Industrial Robots Mir200

    HW
    Mobile-Industrial-Robots
    wszystkie wersje
  • Mobile Industrial Robots Mir200 Firmware

    OS
    Mobile-Industrial-Robots
    wszystkie wersje
  • Mobile Industrial Robots Mir250

    HW
    Mobile-Industrial-Robots
    wszystkie wersje
  • Mobile Industrial Robots Mir250 Firmware

    OS
    Mobile-Industrial-Robots
    wszystkie wersje
  • Mobile Industrial Robots Mir500

    HW
    Mobile-Industrial-Robots
    wszystkie wersje
  • Mobile Industrial Robots Mir500 Firmware

    OS
    Mobile-Industrial-Robots
    wszystkie wersje
  • Uvd Robots Uvd

    HW
    Uvd-Robots
    wszystkie wersje
  • Uvd Robots Uvd Firmware

    OS
    Uvd-Robots
    wszystkie wersje
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2020-10276CRITICAL9.8ten sam produkt

The password for the safety PLC is the default and thus easy to find (in manuals, etc.). This allows a manipul...

CVE-2020-10274HIGH7.1ten sam produkt

The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly availab...

CVE-2020-10280HIGH7.5ten sam produkt

The Apache server on port 80 that host the web interface is vulnerable to a DoS by spamming incomplete HTTP he...

CVE-2020-10277MEDIUM6.4ten sam produkt

There is no mechanism in place to prevent a bad operator to boot from a live OS image, this can lead to extrac...

CVE-2020-10269CRITICAL9.8ten sam vendor

One of the wireless interfaces within MiR100, MiR200 and possibly (according to the vendor) other MiR fleet ve...