CVE-2022-33944

Published: Jul 20, 2022Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs.

Affected (1)

Products: Micodus: Mv720 Firmware

Micodus

1 product

Mv720 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Micodus Mv720 Firmware	All versions

Running on/with	Platform Versions
Micodus Mv720	All versions

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01

Source: ics-cert@hq.dhs.gov

Third Party AdvisoryUS Government Resource

https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.