CVE-2020-10274 HIGH

CVE-2020-10274: RVD#2556: MiR REST API allows for data exfiltration by unauthorized attackers (e.g. indoor maps)

Vendor Mobile Industrial Robots A/S

Product MiR100

Weakness CWE-200 · Info exposure

Published June 24, 2020

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot's database.

Key dates

02Disclosure timeline

June 24, 2020 CVE published

September 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-10274 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2020-10274: RVD#2556: MiR REST API allows for data exfiltration by unauthorized attackers (e.g. indoor maps)

01Description

02Disclosure timeline

03References

04Related CVE