#c++

Input passed to the GET parameter 'userName' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

The pump controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'eventFileSelected' HTTP GET parameter called by DataLogView.php, EventsView.php and AlarmsView.php scripts.

The pump controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'userName' HTTP POST parameter called by index.php script.

The pump controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pseudonym' HTTP POST parameter called by index.php script.

The controller has a hidden administrative account 'admin' that has the hardcoded password 'Mirage1234' that allows full access to the web management interface configuration. The user admin is not visible in Usernames and Passwords menu list (120) of the application and the password cannot be changed through any normal operation of the device. The backdoor lies in the /home/pi/Mirage/Mirage_ValidateSessionCode.x ELF binary.

The controller suffers from an unauthenticated file disclosure vulnerability. Using the 'eventFileSelected' GET parameter, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.

The pump controller's ELF binary Mirage_CreateSessionCode.x contains a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass attacks. Further, session hijacking is possible due to MitM attack exploiting clear-text transmission of sensitive data including session token in URL. Session ID predictability and randomness analysis of the variable areas of the Session ID was conducted and discovered a predictable pattern. The low entropy is generated by using four IVs comprised of username, password, ip address and hostname.

The controller suffers from an unauthenticated command injection vulnerability that allows system access with www-data permissions.

In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.

An issue was discovered in lib60870 v2.3.2. There is a memory leak in lib60870/lib60870-C/examples/multi_client_server/multi_client_server.c.