CVE-2023-28398
published 2023-03-28CVE-2023-28398: Osprey Pump Controller version 1.01 could allow an unauthenticated user to create an account and bypass authentication, thereby gaining unauthorized access to…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.89%
54.9th percentile
Osprey Pump Controller version 1.01 could allow an unauthenticated user to create an account and bypass authentication, thereby gaining unauthorized access to the system. A threat actor could exploit this vulnerability to create a user account without providing valid credentials. A threat actor who successfully exploits this vulnerability could gain access to the pump controller and cause disruption in operation, modify data, or shut down the controller.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| propump_and_controls_inc | osprey_pump_controller | — | — |
| propumpservice | osprey_pump_controller_firmware | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xxmg-8g8r-g92f: Osprey Pump Controller version 1
ghsa_unreviewed·2023-03-28
CVE-2023-28398 [CRITICAL] CWE-287 GHSA-xxmg-8g8r-g92f: Osprey Pump Controller version 1
Osprey Pump Controller version 1.01 could allow an unauthenticated user to create an account and bypass authentication, thereby gaining unauthorized access to the system. A threat actor could exploit this vulnerability to create a user account without providing valid credentials. A threat actor who successfully exploits this vulnerability could gain access to the pump controller and cause disruption in operation, modify data, or shut down the controller.
CISA ICS
ProPump and Controls Osprey Pump Controller (Update A)
cisa_ics·2024-02-08·CVSS 5.5
[MEDIUM] ProPump and Controls Osprey Pump Controller (Update A)
ICS Advisory
##
ProPump and Controls Osprey Pump Controller (Update A)
Last RevisedFebruary 08, 2024
Alert CodeICSA-23-082-06
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: ProPump and Controls, Inc.
- Equipment: Osprey Pump Controller
- Vulnerabilities: Insufficient Entropy, Use of GET Request Method with Sensitive Query Strings, Use of Hard-coded Password, OS Command Injection, Cross-site Scripting, Authentication Bypass using an Alternate Path or Channel, Cross-Site Request Forgery, Command Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, retrieve sensitive information, modi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-28
Published