CVE-2023-28375
published 2023-03-28CVE-2023-28375: Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated file disclosure. Using a GET parameter, attackers can disclose arbitrary files on the…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.54%
71.7th percentile
Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated file disclosure. Using a GET parameter, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| propump_and_controls_inc | osprey_pump_controller | — | — |
| propumpservice | osprey_pump_controller_firmware | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9gx3-68p2-gppf: Osprey Pump Controller version 1
ghsa_unreviewed·2023-03-28
CVE-2023-28375 [HIGH] CWE-552 GHSA-9gx3-68p2-gppf: Osprey Pump Controller version 1
Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated file disclosure. Using a GET parameter, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
CISA ICS
ProPump and Controls Osprey Pump Controller (Update A)
cisa_ics·2024-02-08·CVSS 5.5
[MEDIUM] ProPump and Controls Osprey Pump Controller (Update A)
ICS Advisory
##
ProPump and Controls Osprey Pump Controller (Update A)
Last RevisedFebruary 08, 2024
Alert CodeICSA-23-082-06
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: ProPump and Controls, Inc.
- Equipment: Osprey Pump Controller
- Vulnerabilities: Insufficient Entropy, Use of GET Request Method with Sensitive Query Strings, Use of Hard-coded Password, OS Command Injection, Cross-site Scripting, Authentication Bypass using an Alternate Path or Channel, Cross-Site Request Forgery, Command Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, retrieve sensitive information, modi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-28
Published