CVE-2020-10274

HIGH

Mobile-industrial-robots Mir100 Firmware - Information Disclosure

Title source: rule

Description

The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot's database.

References (1)

[Third Party Advisory] https://github.com/aliasrobotics/RVD/issues/2556

Scores

CVSS v3 7.1

EPSS 0.0028

EPSS Percentile 51.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Details

CWE

CWE-330 CWE-200

Status published

Products (10)

easyrobotics/er-flex_firmware

easyrobotics/er-lite_firmware

easyrobotics/er-one_firmware

easyrobotics/er200_firmware

mobile-industrial-robots/mir1000_firmware

mobile-industrial-robots/mir100_firmware < 2.8.1.1

mobile-industrial-robots/mir200_firmware

mobile-industrial-robots/mir250_firmware

mobile-industrial-robots/mir500_firmware

uvd-robots/uvd_firmware

Published Jun 24, 2020

Tracked Since Feb 18, 2026