Total
5 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-2141 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2022-07-27 | N/A | 9.8 CRITICAL |
SMS-based GPS commands can be executed by MiCODUS MV720 GPS tracker without authentication. | |||||
CVE-2022-2107 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2022-07-27 | N/A | 9.8 CRITICAL |
The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number. | |||||
CVE-2022-33944 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2022-07-27 | N/A | 6.5 MEDIUM |
The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs. | |||||
CVE-2022-2199 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2022-07-27 | N/A | 6.1 MEDIUM |
The main MiCODUS MV720 GPS tracker web server has a reflected cross-site scripting vulnerability that could allow an attacker to gain control by tricking a user into making a request. | |||||
CVE-2022-34150 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2022-07-27 | N/A | 5.4 MEDIUM |
The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification. |