MOV.AI Robotics Engine version 2.2.3-3 suffers from multiple cross site scripting vulnerabilities.
advisories | CVE-2022-46620
Vendor Name: MOV.AI
Product Name: MOV.AI Robotics Engine
Vendor Home Page: https://www.mov.ai
Affected Version(s): MOV.AI Robotics Engine v2.2.3-3
Patch Release: MOV.AI Robotics Engine v2.2.3-4
Patched Version Release: 22 September 2022
Vulnerability Type: Reflected XSS (CWE-79)
CVE Reference: CVE-2022-46620
Author of Advisory: Thurein Soe
Vendor Description:
MOV.AI is a Robotics Engine platform based on ROS. It is packaged in an
intuitive web-based interface to develop autonomous mobile robots (AMRs)
and automated guided vehicles (AGVs). It integrates with navigation,
localization, calibration, and the enterprise-grade tools they need for
advanced automation.
Vulnerability description:
Post Reflected cross-site scripting (XSS) vulnerability in MOV.AI Robotics
Engine v2.2.3-3 version allowing an attacker to execute arbitrary
javascript in the context of RCS application due to inadequate sanitization
of user-supplied data. During the Assessment, it was possible to send
arbitrary JavaScript, and the server returned as part of an application
response body due to insufficient input validation.
Vulnerable Parameters:
dashboard/users/admin2
dashboard/groups
AdminBoard
Impact:
Cross-Site Scripting issues occur when an application uses untrusted data
supplied by untrusted users in a web browser without sufficient prior
validation or escaping. A potential attacker can embed untrusted code
within a client-side script to be executed by the browser while
interpreting the page. Attackers utilize XSS vulnerabilities to execute
scripts in a legitimate user's browser leading to user credentials theft,
session hijacking, website defacement, or redirection to malicious sites.
References:
https://www.immuniweb.com/vulnerability/cross-site-scripting.html
Disclosure Timeline:
06 July 2022: Found security vulnerability during a security assessment
08 July 2022: Customer reported finding a security vulnerability to MOV.AI
15 September 2022: further details of remediation steps sent to MOV.AI
22 September 2022: Patch released for MOV.AI Customer by MOV.AI
Credits:
Thurein Soe