Teledyne FLIR FB-Series O and FH-Series ID Access Control Vulnerability in Production Tools Component

A critical vulnerability has been identified in Teledyne FLIR FB-Series O and FLIR FH-Series ID version 1.3.2.16. The issue resides in the Production Tools component, specifically within the file '/priv/production/production.html'. This vulnerability stems from improper access controls, allowing unauthorized access to a management backend intended for internal use. The file's exposure on the public network, due to server misconfiguration, enables attackers to access it without authentication. This flaw could lead to unauthorized access, information disclosure, and potentially remote code execution.

Impact

Exploitation of this vulnerability allows for unauthorized access to the production management backend, which could lead to information disclosure and remote code execution.

Reproduction

The vulnerability can be reproduced by accessing the '/priv/production/production.html' file directly through a web browser. This can be done by entering the URL of the vulnerable device, followed by the path to the production.html file. No authentication is required to access this file, making it possible for anyone who knows the URL to exploit the vulnerability.