MOV.AI Robotics Engine 2.2.3-3 Improper Access Control

Manufacturer: MOV.AIProduct Name: MOV.AI Robotics EngineVendor Home Page:  https://www.mov.ai/Affected Version(s): MOV.AI Robotics Engine v2.2.3-3Patch Release: MOV.AI Robotics Engine v2.2.3-4Patched Version Release: 22 September 2022Vulnerability Type: Improper Access Control (CWE-284)CVE Reference: CVE-2022-46621Author of Advisory: Thurein SoeVendor Description:MOV.AI is a Robotics Engine platform based on ROS. It is packaged in anintuitive web-based interface to develop autonomous mobile robots (AMRs)and automated guided vehicles (AGVs). It integrates with navigation,localization, calibration, and the enterprise-grade tools they need foradvanced automation.Vulnerability description:An improper access control vulnerability in MOV.AI Robotics Engine v2.2.3-3version allows an unauthenticated user to delete an existing user or createnew user-privileged functionality in the application upon successfullyauthenticated user logout from the application due to failure to terminatethe authenticated session immediately after authenticated user logout.References:https://www.immuniweb.com/vulnerability/improper-access-control.htmlhttps://www.cvedetails.com/cwe-details/284/Access-Control-Authorization-Issues.htmlDisclosure Timeline:06 July 2022: Found security vulnerability during a security assessment08 July 2022: Customer reported finding a security vulnerability to MOV.AI15 September 2022: further details of remediation steps sent to MOV.AI22 September 2022: Patch released for MOV.AI Customer by MOV.AICredits:Thurein Soe```Other submissions will send separately.Best RegardsThurein