Advertisement




Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023010019

Below is a copy:

MOV.AI Robotics Engine 2.2.3-3 Improper Access Control
Manufacturer: MOV.AI
Product Name: MOV.AI Robotics Engine
Vendor Home Page:  https://www.mov.ai/
Affected Version(s): MOV.AI Robotics Engine v2.2.3-3
Patch Release: MOV.AI Robotics Engine v2.2.3-4
Patched Version Release: 22 September 2022
Vulnerability Type: Improper Access Control (CWE-284)
CVE Reference: CVE-2022-46621
Author of Advisory: Thurein Soe


Vendor Description:
MOV.AI is a Robotics Engine platform based on ROS. It is packaged in an
intuitive web-based interface to develop autonomous mobile robots (AMRs)
and automated guided vehicles (AGVs). It integrates with navigation,
localization, calibration, and the enterprise-grade tools they need for
advanced automation.

Vulnerability description:
An improper access control vulnerability in MOV.AI Robotics Engine v2.2.3-3
version allows an unauthenticated user to delete an existing user or create
new user-privileged functionality in the application upon successfully
authenticated user logout from the application due to failure to terminate
the authenticated session immediately after authenticated user logout.

References:
https://www.immuniweb.com/vulnerability/improper-access-control.html
https://www.cvedetails.com/cwe-details/284/Access-Control-Authorization-Issues.html


Disclosure Timeline:

06 July 2022: Found security vulnerability during a security assessment
08 July 2022: Customer reported finding a security vulnerability to MOV.AI
15 September 2022: further details of remediation steps sent to MOV.AI
22 September 2022: Patch released for MOV.AI Customer by MOV.AI


Credits:
Thurein Soe
```
Other submissions will send separately.

Best Regards
Thurein

Copyright ©2023 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.