CVE-2020-10275

Summary

The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a USERNAME and a PASSWORD, the token string is generated directly with base64(USERNAME:sha256(PASSWORD)). An unauthorized attacker inside the network can use the default credentials to compute the token and interact with the REST API to exfiltrate, infiltrate or delete data.

Affected Software

VendorProductVersion RangeStatus
Mobile Industrial Robots A/SMiR100v2.8.1.1 and beforeaffected

Weaknesses

  • CWE-261: CWE-261

ADP Enrichment

CVE Program Container

Additional References

References