Brandon Park

**Name of the Vulnerable Software and Affected Versions** Cognex 3D-A1000 Dimensioning System versions 1.0.3 (3354) and prior **Description** The issue is related to the implementation of security functions on the client-side of the Cognex 3D-A1000 Dimensioning System. This could allow a remote attacker to elevate their privileges. The vulnerability is associated with the client-side enforcement of server-side security, which may enable attackers to bypass web access controls by inspecting and modifying the source code of password-protected web elements. **Recommendations** For versions 1.0.3 (3354) and prior, consider disabling web access to password-protected elements until a patch is available. Restrict access to the source code of web elements to minimize the risk of exploitation. Avoid using password-protected web elements in the affected system until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cognex 3D-A1000 Dimensioning System versions 1.0.3 and prior **Description** The issue is related to missing authentication for critical functions, allowing unauthorized users to change the operator account password via web server commands. This can be achieved by monitoring web socket communications from an unauthenticated session, potentially enabling an attacker to escalate privileges to match those of the compromised account. **Recommendations** For versions 1.0.3 and prior, consider disabling web server commands related to password changes until a patch is available. Restrict access to the web interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cognex 3D-A1000 Dimensioning System versions 1.0.3 (3354) and prior **Description** The issue is related to improper output neutralization for logs, which can be exploited by a remote attacker to create arbitrary log files. This can lead to the creation of false logs that show the password as having been changed when it is not, complicating forensic analysis. **Recommendations** For versions 1.0.3 (3354) and prior, consider disabling the logging functionality until a patch is available to prevent the creation of false logs. Restrict access to the logging module to minimize the risk of exploitation. Avoid relying on log files for password change tracking until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.