CVE-2020-10274
HIGHMobile Industrial Robots MIR100 Firmware < 2.8.1.1 - Predictable REST API Access Tokens
Title source: llmDescription
The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot's database.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_confirm
https://github.com/aliasrobotics/RVD/issues/2556
Scores
CVSS v3
7.1
EPSS
0.0090
EPSS Percentile
54.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Details
CWE
CWE-330
CWE-200
Status
published
Products (10)
easyrobotics/er-flex_firmware
easyrobotics/er-lite_firmware
easyrobotics/er-one_firmware
easyrobotics/er200_firmware
mobile-industrial-robots/mir1000_firmware
mobile-industrial-robots/mir100_firmware
< 2.8.1.1
mobile-industrial-robots/mir200_firmware
mobile-industrial-robots/mir250_firmware
mobile-industrial-robots/mir500_firmware
uvd-robots/uvd_firmware
Published
Jun 24, 2020
Tracked Since
Feb 18, 2026