{"containers": {"cna": {"affected": [{"product": "MV720", "vendor": "MiCODUS", "versions": [{"status": "affected", "version": "All versions"}]}], "credits": [{"lang": "en", "value": "Pedro Umbelino, Dan Dahlberg, and Jacob Olcott of BitSight reported these vulnerabilities to CISA."}], "datePublic": "2022-07-19T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter \u201cDevice ID,\u201d which accepts arbitrary device IDs."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-20T15:24:26.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01"}], "source": {"discovery": "EXTERNAL"}, "title": "ICSA-22-200-01 MiCODUS MV720 GPS tracker Authorization Bypass Through User-Controlled Key", "workarounds": [{"lang": "en", "value": "As of July 18th, 2022, MiCODUS has not provided updates or patches to mitigate these vulnerabilities. CISA will update the corresponding ICSA to reflect any patches, updates, or mitigation information provided by MiCODUS in the future."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-07-19T20:09:00.000Z", "ID": "CVE-2022-33944", "STATE": "PUBLIC", "TITLE": "ICSA-22-200-01 MiCODUS MV720 GPS tracker Authorization Bypass Through User-Controlled Key"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MV720", "version": {"version_data": [{"version_affected": "=", "version_value": "All versions"}]}}]}, "vendor_name": "MiCODUS"}]}}, "credit": [{"lang": "eng", "value": "Pedro Umbelino, Dan Dahlberg, and Jacob Olcott of BitSight reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter \u201cDevice ID,\u201d which accepts arbitrary device IDs."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01"}]}, "source": {"discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "As of July 18th, 2022, MiCODUS has not provided updates or patches to mitigate these vulnerabilities. CISA will update the corresponding ICSA to reflect any patches, updates, or mitigation information provided by MiCODUS in the future."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T08:16:15.920Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T15:51:10.375745Z", "id": "CVE-2022-33944", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T16:14:59.125Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-33944", "datePublished": "2022-07-20T15:24:26.564Z", "dateReserved": "2022-06-24T00:00:00.000Z", "dateUpdated": "2025-04-16T16:14:59.125Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T08:16:15.920Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-33944", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-16T15:51:10.375745Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T15:51:11.811Z"}}], "cna": {"title": "ICSA-22-200-01 MiCODUS MV720 GPS tracker Authorization Bypass Through User-Controlled Key", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Pedro Umbelino, Dan Dahlberg, and Jacob Olcott of BitSight reported these vulnerabilities to CISA."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MiCODUS", "product": "MV720", "versions": [{"status": "affected", "version": "All versions"}]}], "datePublic": "2022-07-19T00:00:00.000Z", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01", "tags": ["x_refsource_CONFIRM"]}], "workarounds": [{"lang": "en", "value": "As of July 18th, 2022, MiCODUS has not provided updates or patches to mitigate these vulnerabilities. CISA will update the corresponding ICSA to reflect any patches, updates, or mitigation information provided by MiCODUS in the future."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter \u201cDevice ID,\u201d which accepts arbitrary device IDs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-07-20T15:24:26.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Pedro Umbelino, Dan Dahlberg, and Jacob Olcott of BitSight reported these vulnerabilities to CISA."}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "All versions", "version_affected": "="}]}, "product_name": "MV720"}]}, "vendor_name": "MiCODUS"}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter \u201cDevice ID,\u201d which accepts arbitrary device IDs."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}]}, "work_around": [{"lang": "en", "value": "As of July 18th, 2022, MiCODUS has not provided updates or patches to mitigate these vulnerabilities. CISA will update the corresponding ICSA to reflect any patches, updates, or mitigation information provided by MiCODUS in the future."}], "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-33944", "STATE": "PUBLIC", "TITLE": "ICSA-22-200-01 MiCODUS MV720 GPS tracker Authorization Bypass Through User-Controlled Key", "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-07-19T20:09:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2022-33944", "state": "PUBLISHED", "dateUpdated": "2025-04-16T16:14:59.125Z", "dateReserved": "2022-06-24T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-07-20T15:24:26.564Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:micodus:mv720_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "8F148403-53DE-4395-9AC8-E4904E11C6A3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:micodus:mv720:-:*:*:*:*:*:*:*", "matchCriteriaId": "080B8FC0-9B29-4CE7-9E45-ABF05C69594D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter \u201cDevice ID,\u201d which accepts arbitrary device IDs."}, {"lang": "es", "value": "El servidor web principal del rastreador GPS MiCODUS versi\u00f3n MV720 presenta una vulnerabilidad de referencias directas a objetos inseguros autenticados en el endpoint y en el par\u00e1metro POST \"Device ID\", que acepta ID de dispositivos arbitrarios"}], "id": "CVE-2022-33944", "lastModified": "2024-11-21T07:08:39.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-20T16:15:09.160", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}

{}

{}