Jacob Olcott

**Name of the Vulnerable Software and Affected Versions** MiCODUS MV720 GPS tracker (affected versions not specified) **Description** The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MiCODUS MV720 GPS tracker (affected versions not specified) **Description** The issue allows SMS-based GPS commands to be executed by the MiCODUS MV720 GPS tracker without requiring authentication. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MiCODUS MV720 GPS tracker (affected versions not specified) **Description** The main web server of the MiCODUS MV720 GPS tracker has a reflected cross-site scripting issue. This could allow an attacker to gain control by tricking a user into making a request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MiCODUS MV720 GPS tracker (affected versions not specified) **Description** The main web server of the MiCODUS MV720 GPS tracker has an authenticated insecure direct object references issue. This issue is related to an endpoint and the POST parameter `Device ID`, which accepts arbitrary device IDs. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MiCODUS MV720 GPS tracker (affected versions not specified) **Description** The main web server of the MiCODUS MV720 GPS tracker has an authenticated insecure direct object reference issue. This issue is related to the endpoint and parameter `device IDs`, which accept arbitrary `device IDs` without further verification. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.