Llandeilocymro

**Name of the Vulnerable Software and Affected Versions** MOBOTIX S14 version MX-V4.2.1.61 **Description** The issue is related to a lack of CSRF countermeasures. This can be demonstrated by adding an admin account via the "/admin/access" API endpoint. **Recommendations** For MOBOTIX S14 version MX-V4.2.1.61, consider implementing CSRF countermeasures to prevent unauthorized actions, such as adding an admin account via the "/admin/access" API endpoint. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MOBOTIX S14 version MX-V4.2.1.61 **Description** An issue was discovered where administrator credentials are stored in the 13-character DES hash format. **Recommendations** For MOBOTIX S14 version MX-V4.2.1.61, consider changing the password storage mechanism to a more secure format to mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MOBOTIX S14 version MX-V4.2.1.61 **Description** An issue was discovered where the /admin/access endpoint accepts a request to set an insecure password, specifically "aaaaa", from a user. This could be considered insecure for some use cases. **Recommendations** For MOBOTIX S14 version MX-V4.2.1.61, consider restricting access to the /admin/access endpoint or implementing additional password security measures to prevent the use of insecure passwords like "aaaaa".

**Name of the Vulnerable Software and Affected Versions** MOBOTIX S14 version MX-V4.2.1.61 **Description** An issue was discovered where the default management application is delivered over cleartext HTTP with Basic Authentication. This is demonstrated by the "/admin/index.html" API endpoint. **Recommendations** For MOBOTIX S14 version MX-V4.2.1.61, consider disabling the use of Basic Authentication over cleartext HTTP as a temporary workaround until a patch is available. Restrict access to the "/admin/index.html" API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MOBOTIX S14 version MX-V4.2.1.61 **Description** A security issue was found where the admin account on the device has a default password set to `meinsm`. **Recommendations** For MOBOTIX S14 version MX-V4.2.1.61, change the default password of the admin account to a strong and unique password to prevent unauthorized access.