MOV.AI Robotics Engine 2.2.3-3 Improper Access Control

2023.01.13
Credit: Thurein Soe
Risk: Low
Local: No
Remote: Yes
CWE: CWE-284

Manufacturer: MOV.AI Product Name: MOV.AI Robotics Engine Vendor Home Page: https://www.mov.ai/ Affected Version(s): MOV.AI Robotics Engine v2.2.3-3 Patch Release: MOV.AI Robotics Engine v2.2.3-4 Patched Version Release: 22 September 2022 Vulnerability Type: Improper Access Control (CWE-284) CVE Reference: CVE-2022-46621 Author of Advisory: Thurein Soe Vendor Description: MOV.AI is a Robotics Engine platform based on ROS. It is packaged in an intuitive web-based interface to develop autonomous mobile robots (AMRs) and automated guided vehicles (AGVs). It integrates with navigation, localization, calibration, and the enterprise-grade tools they need for advanced automation. Vulnerability description: An improper access control vulnerability in MOV.AI Robotics Engine v2.2.3-3 version allows an unauthenticated user to delete an existing user or create new user-privileged functionality in the application upon successfully authenticated user logout from the application due to failure to terminate the authenticated session immediately after authenticated user logout. References: https://www.immuniweb.com/vulnerability/improper-access-control.html https://www.cvedetails.com/cwe-details/284/Access-Control-Authorization-Issues.html Disclosure Timeline: 06 July 2022: Found security vulnerability during a security assessment 08 July 2022: Customer reported finding a security vulnerability to MOV.AI 15 September 2022: further details of remediation steps sent to MOV.AI 22 September 2022: Patch released for MOV.AI Customer by MOV.AI Credits: Thurein Soe ``` Other submissions will send separately. Best Regards Thurein


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top