Description
Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a mass assignment vulnerability that allows unauthenticated attackers to overwrite sensitive configuration settings by supplying arbitrary parameter names in HTTP requests. Attackers can manipulate parameters corresponding to sensitive values such as the passphrase and listening port, and can also achieve the same result through cross-site request forgery due to the absence of adequate request validation.
Problem types
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Product status
Any version
Credits
Gjoko Krstic of Zero Science Lab
References
www.zeroscience.mk/ (Zero Science Lab Advisory (ZSL-2026-5997))
www.vulncheck.com/...orm-mass-assignment-via-http-parameters