A command injection vulnerability exists in ProPump and Controls Osprey Pump Controller 1.0.1. An attacker can exploit this vulnerability by sending a specially crafted eventFileSelected request to the vulnerable application. This can allow the attacker to execute arbitrary commands on the underlying operating system.
ProPump and Controls, Inc. provides pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey is a door-mounted, irrigation and landscape pump controller. The affected version is Software Build ID 20211018, Production 10/18/2021, Mirage App: MirageAppManager, Release [1.0.1], Mirage Model 1, RetroBoard II. The system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support.
ProPump and Controls Osprey Pump Controller version 1.0.1 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious web page or link that, when visited by an authenticated user, can perform arbitrary actions on behalf of the user. This can be used to modify the system configuration, change user passwords, or even shut down the system.
A vulnerability in Osprey Pump Controller v1.0.1 allows an attacker to bypass authentication and modify credentials. The affected version is Software Build ID 20211018, Production 10/18/2021 and Mirage App: MirageAppManager, Release [1.0.1] and Mirage Model 1, RetroBoard II. The vulnerability is due to lack of password protection unless requested by the customer. This allows an attacker to access and modify critical pump station information.
A reflected cross-site scripting (XSS) vulnerability exists in the Osprey Pump Controller v1.0.1 software due to insufficient sanitization of user-supplied input. An attacker can leverage this vulnerability to execute arbitrary HTML and script code in a user's browser session in the context of the affected site.
A vulnerability in ProPump and Controls' Osprey Pump Controller 1.0.1 allows an unauthenticated attacker to inject arbitrary commands into the userName parameter of the web application. This can be exploited to execute arbitrary commands with the privileges of the web server process.
ProPump & Controls' Osprey Pump Controller 1.0.1 is vulnerable to a semi-blind command injection vulnerability. This vulnerability allows an attacker to inject arbitrary commands into the system without authentication. The vulnerability exists due to the lack of proper input validation when handling user-supplied data. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious commands.
ProPump and Controls, Inc.βs Osprey Pump Controller 1.0.1 is vulnerable to a backdoor access vulnerability. This vulnerability allows an attacker to gain access to the system without authentication. The system does not have any password protection unless requested by the customer. This vulnerability can be exploited by an attacker to gain access to the system and modify the settings.
A vulnerability in ProPump and Controls' Osprey Pump Controller 1.0.1 allows an unauthenticated attacker to gain access to sensitive files without any authentication. This vulnerability is due to the lack of authentication protection in the system navigation. By exploiting this vulnerability, an attacker can gain access to all critical pump station information without any password protection.
ProPump and Controls' Osprey Pump Controller 1.0.1 is vulnerable to a predictable session token / session hijack attack. The system does not have any password protection unless requested by the customer, allowing an attacker to easily gain access to the system. The attacker can then use the predictable session token to hijack the user's session and gain access to the system.
Services By CQR