MOV.AI Robotics Engine 2.2.3-3 Cross Site Scripting

MOV.AI Robotics Engine version 2.2.3-3 suffers from multiple cross site scripting vulnerabilities.


SHA-256 | b4fade716d8cdd82f18de5a3e6c65b0d1b1d58bb728ae8e16d265e61aa6541f7

Vendor Name: MOV.AI
Product Name: MOV.AI Robotics Engine
Vendor Home Page: https://www.mov.ai
Affected Version(s): MOV.AI Robotics Engine v2.2.3-3
Patch Release: MOV.AI Robotics Engine v2.2.3-4
Patched Version Release: 22 September 2022
Vulnerability Type: Reflected XSS (CWE-79)
CVE Reference: CVE-2022-46620
Author of Advisory: Thurein Soe


Vendor Description:
MOV.AI is a Robotics Engine platform based on ROS. It is packaged in an
intuitive web-based interface to develop autonomous mobile robots (AMRs)
and automated guided vehicles (AGVs). It integrates with navigation,
localization, calibration, and the enterprise-grade tools they need for
advanced automation.

Vulnerability description:
Post Reflected cross-site scripting (XSS) vulnerability in MOV.AI Robotics
Engine v2.2.3-3 version allowing an attacker to execute arbitrary
javascript in the context of RCS application due to inadequate sanitization
of user-supplied data. During the Assessment, it was possible to send
arbitrary JavaScript, and the server returned as part of an application
response body due to insufficient input validation.

Vulnerable Parameters:

dashboard/users/admin2
dashboard/groups
AdminBoard

Impact:
Cross-Site Scripting issues occur when an application uses untrusted data
supplied by untrusted users in a web browser without sufficient prior
validation or escaping. A potential attacker can embed untrusted code
within a client-side script to be executed by the browser while
interpreting the page. Attackers utilize XSS vulnerabilities to execute
scripts in a legitimate user's browser leading to user credentials theft,
session hijacking, website defacement, or redirection to malicious sites.

References:
https://www.immuniweb.com/vulnerability/cross-site-scripting.html

Disclosure Timeline:
06 July 2022: Found security vulnerability during a security assessment
08 July 2022: Customer reported finding a security vulnerability to MOV.AI
15 September 2022: further details of remediation steps sent to MOV.AI
22 September 2022: Patch released for MOV.AI Customer by MOV.AI

Credits:
Thurein Soe

Related Posts