CVE-2023-27394

Name of the Vulnerable Software and Affected Versions Osprey Pump Controller version 1.01

Description The issue exists due to the failure to neutralize special elements in the DataLogView.php, EventsView.php, and AlarmsView.php scripts of the Osprey Pump Controller software. This allows a remote attacker to execute arbitrary commands through an HTTP GET parameter. The vulnerability can be exploited to inject and execute arbitrary shell commands.

Recommendations For Osprey Pump Controller version 1.01, consider disabling the DataLogView.php, EventsView.php, and AlarmsView.php scripts until a patch is available to prevent exploitation of the unauthenticated OS command injection vulnerability. Restrict access to the HTTP GET parameter to minimize the risk of arbitrary command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.