Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    42 vulnerabilities by contec

    JVNDB-2025-007754

    Vulnerability from jvndb - Published: 2025-07-02 11:31 - Updated:2025-07-02 11:31
    Severity
    Summary
    Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)
    Details
    CONPROSYS HMI System (CHS) provided by Contec Co.,Ltd. contains multiple vulnerabilities listed below. * Reflected cross-site scripting (CWE-79) - CVE-2025-34080 * Insertion of sensitive information into debugging code (CWE-215) - CVE-2025-34081 Alex Williams of Converge Technology Solutions reported these vulnerabilities to Vulncheck Inc., and Vulncheck Inc. reported these vulnerabilities to the developer. Based on the coordination request made by the developer, JPCERT/CC coordinated with Vulncheck Inc. and the developer.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-007754.html",
      "dc:date": "2025-07-02T11:31+09:00",
      "dcterms:issued": "2025-07-02T11:31+09:00",
      "dcterms:modified": "2025-07-02T11:31+09:00",
      "description": "CONPROSYS HMI System (CHS) provided by Contec Co.,Ltd. contains multiple vulnerabilities listed below.\r\n\r\n  * Reflected cross-site scripting (CWE-79) - CVE-2025-34080\r\n  * Insertion of sensitive information into debugging code (CWE-215) - CVE-2025-34081\r\n\r\nAlex Williams of Converge Technology Solutions reported these vulnerabilities to Vulncheck Inc., and\r\nVulncheck Inc. reported these vulnerabilities to the developer.\r\nBased on the coordination request made by the developer, JPCERT/CC coordinated with Vulncheck Inc. and the developer.",
      "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-007754.html",
      "sec:cpe": {
        "#text": "cpe:/a:contec:conprosys_hmi_system",
        "@product": "CONPROSYS HMI System (CHS)",
        "@vendor": "Contec",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "6.1",
        "@severity": "Medium",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2025-007754",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU92266386/index.html",
          "@id": "JVNVU#92266386",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-34080",
          "@id": "CVE-2025-34080",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-34081",
          "@id": "CVE-2025-34081",
          "@source": "CVE"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/215.html",
          "@id": "CWE-215",
          "@title": "Insertion of Sensitive Information Into Debugging Code(CWE-215)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)"
    }

    JVNDB-2023-002002

    Vulnerability from jvndb - Published: 2023-06-01 13:48 - Updated:2024-03-19 18:13
    Severity
    Summary
    Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)
    Details
    CONPROSYS HMI System (CHS) provided by Contec Co., Ltd. contains multiple vulnerabilities listed below. * Plaintext storage of a password (CWE-256) - CVE-2023-28713 * Incorrect permission assignment for critical resource (CWE-732) - CVE-2023-28399 * Improper access control (CWE-284) - CVE-2023-28657 * Cross-site scripting (CWE-79) - CVE-2023-28651 * Server-side request forgery (CWE-918)- CVE-2023-28824 * SQL injection (CWE-89) - CVE-2023-29154 * Improper control of interaction frequency (CWE-799) - CVE-2023-2758 Michael Heinzl reported the vulnerabilities listed below to JPCERT/CC, and JPCERT/CC coordinated with the developer. CVE-2023-28713, CVE-2023-28399, CVE-2023-28657, CVE-2023-28651, CVE-2023-28824, CVE-2023-29154 Tenable, Inc. reported CVE-2023-2758 vulnerability to the developer, and based on the coordination request made by the developer, JPCERT/CC coordinated with Tenable, Inc. and the developer.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-002002.html",
      "dc:date": "2024-03-19T18:13+09:00",
      "dcterms:issued": "2023-06-01T13:48+09:00",
      "dcterms:modified": "2024-03-19T18:13+09:00",
      "description": "CONPROSYS HMI System (CHS) provided by Contec Co., Ltd. contains multiple vulnerabilities listed below.\r\n\r\n* Plaintext storage of a password (CWE-256) - CVE-2023-28713\r\n* Incorrect permission assignment for critical resource (CWE-732) - CVE-2023-28399\r\n* Improper access control (CWE-284) - CVE-2023-28657\r\n* Cross-site scripting (CWE-79) - CVE-2023-28651\r\n* Server-side request forgery (CWE-918)- CVE-2023-28824\r\n* SQL injection (CWE-89) - CVE-2023-29154\r\n* Improper control of interaction frequency (CWE-799) - CVE-2023-2758\r\n\r\nMichael Heinzl reported the vulnerabilities listed below to JPCERT/CC, and JPCERT/CC coordinated with the developer.\r\nCVE-2023-28713, CVE-2023-28399, CVE-2023-28657, CVE-2023-28651, CVE-2023-28824, CVE-2023-29154\r\n\r\nTenable, Inc. reported CVE-2023-2758 vulnerability to the developer, and based on the coordination request made by the developer, JPCERT/CC coordinated with Tenable, Inc. and the developer.",
      "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-002002.html",
      "sec:cpe": {
        "#text": "cpe:/a:contec:conprosys_hmi_system",
        "@product": "CONPROSYS HMI System (CHS)",
        "@vendor": "Contec",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "8.8",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2023-002002",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU93372935/index.html",
          "@id": "JVNVU#93372935",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-28713",
          "@id": "CVE-2023-28713",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-28399",
          "@id": "CVE-2023-28399",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-28657",
          "@id": "CVE-2023-28657",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-28651",
          "@id": "CVE-2023-28651",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-28824",
          "@id": "CVE-2023-28824",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-29154",
          "@id": "CVE-2023-29154",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-2758",
          "@id": "CVE-2023-2758",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-2758",
          "@id": "CVE-2023-2758",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-28399",
          "@id": "CVE-2023-28399",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-28651",
          "@id": "CVE-2023-28651",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-28657",
          "@id": "CVE-2023-28657",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-28713",
          "@id": "CVE-2023-28713",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-28824",
          "@id": "CVE-2023-28824",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-29154",
          "@id": "CVE-2023-29154",
          "@source": "NVD"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/256.html",
          "@id": "CWE-256",
          "@title": "Unprotected Storage of Credentials(CWE-256)"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/284.html",
          "@id": "CWE-284",
          "@title": "Improper Access Control(CWE-284)"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/732.html",
          "@id": "CWE-732",
          "@title": "Incorrect Permission Assignment for Critical Resource(CWE-732)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/799.html",
          "@id": "CWE-799",
          "@title": "Improper Control of Interaction Frequency(CWE-799)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-89",
          "@title": "SQL Injection(CWE-89)"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/918.html",
          "@id": "CWE-918",
          "@title": "Server-Side Request Forgery (SSRF)(CWE-918)"
        }
      ],
      "title": "Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)"
    }

    JVNDB-2023-001774

    Vulnerability from jvndb - Published: 2023-05-09 16:09 - Updated:2024-06-27 13:30
    Severity
    Summary
    Multiple vulnerabilities in SolarView Compact
    Details
    SolarView Compact provided by CONTEC CO.,LTD. contains multiple vulnerabilities listed below. * Use of hard-coded credentials (CWE-798) - CVE-2023-27512 * OS command injection in the download page (CWE-78) - CVE-2023-27514 * Buffer overflow in the multiple setting pages (CWE-120) - CVE-2023-27518 * OS command injection in the mail setting page (CWE-78) - CVE-2023-27521 * Improper access control in the system date/time setting page (CWE-284) - CVE-2023-27920 CVE-2023-27512, CVE-2023-27514, CVE-2023-27518, CVE-2023-27521 Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer. CVE-2023-27920 CONTEC CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solutions through JVN.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001774.html",
      "dc:date": "2024-06-27T13:30+09:00",
      "dcterms:issued": "2023-05-09T16:09+09:00",
      "dcterms:modified": "2024-06-27T13:30+09:00",
      "description": "SolarView Compact provided by CONTEC CO.,LTD. contains multiple vulnerabilities listed below.\r\n\r\n  * Use of hard-coded credentials (CWE-798) - CVE-2023-27512\r\n  * OS command injection in the download page (CWE-78) - CVE-2023-27514\r\n  * Buffer overflow in the multiple setting pages (CWE-120) - CVE-2023-27518\r\n  * OS command injection in the mail setting page (CWE-78) - CVE-2023-27521\r\n  * Improper access control in the system date/time setting page (CWE-284) - CVE-2023-27920\r\n\r\nCVE-2023-27512, CVE-2023-27514, CVE-2023-27518, CVE-2023-27521\r\nChuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.\r\n\r\nCVE-2023-27920\r\nCONTEC CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solutions through JVN.",
      "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001774.html",
      "sec:cpe": [
        {
          "#text": "cpe:/o:contec:sv-cpt-mc310f_firmware",
          "@product": "SolarView Compact SV-CPT-MC310F",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:sv-cpt-mc310_firmware",
          "@product": "SolarView Compact SV-CPT-MC310",
          "@vendor": "Contec",
          "@version": "2.2"
        }
      ],
      "sec:cvss": {
        "@score": "8.8",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2023-001774",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU92106300/index.html",
          "@id": "JVNVU#92106300",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-27512",
          "@id": "CVE-2023-27512",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-27514",
          "@id": "CVE-2023-27514",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-27518",
          "@id": "CVE-2023-27518",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-27521",
          "@id": "CVE-2023-27521",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-27920",
          "@id": "CVE-2023-27920",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-27512",
          "@id": "CVE-2023-27512",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-27514",
          "@id": "CVE-2023-27514",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-27518",
          "@id": "CVE-2023-27518",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-27521",
          "@id": "CVE-2023-27521",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-27920",
          "@id": "CVE-2023-27920",
          "@source": "NVD"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/120.html",
          "@id": "CWE-120",
          "@title": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)(CWE-120)"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/284.html",
          "@id": "CWE-284",
          "@title": "Improper Access Control(CWE-284)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-78",
          "@title": "OS Command Injection(CWE-78)"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/798.html",
          "@id": "CWE-798",
          "@title": "Use of Hard-coded Credentials(CWE-798)"
        }
      ],
      "title": "Multiple vulnerabilities in SolarView Compact"
    }

    JVNDB-2023-001400

    Vulnerability from jvndb - Published: 2023-04-03 16:19 - Updated:2023-04-03 16:19
    Severity
    Summary
    CONPROSYS HMI System(CHS) vulnerable to SQL injection
    Details
    CONPROSYS HMI System(CHS) provided by Contec Co., Ltd. contains an SQL injection vulnerability (CWE-89, CVE-2023-1658). Tenable Network Security reported this vulnerability to the developer. JPCERT/CC coordinated with the reporter and the developer.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001400.html",
      "dc:date": "2023-04-03T16:19+09:00",
      "dcterms:issued": "2023-04-03T16:19+09:00",
      "dcterms:modified": "2023-04-03T16:19+09:00",
      "description": "CONPROSYS HMI System(CHS) provided by Contec Co., Ltd. contains an SQL injection vulnerability (CWE-89, CVE-2023-1658).\r\n\r\nTenable Network Security reported this vulnerability to the developer.\r\nJPCERT/CC coordinated with the reporter and the developer.",
      "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001400.html",
      "sec:cpe": {
        "#text": "cpe:/a:contec:conprosys_hmi_system",
        "@product": "CONPROSYS HMI System (CHS)",
        "@vendor": "Contec",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "7.5",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2023-001400",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU92145493/index.html",
          "@id": "JVNVU#92145493",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-1658",
          "@id": "CVE-2023-1658",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-89",
          "@title": "SQL Injection(CWE-89)"
        }
      ],
      "title": "CONPROSYS HMI System(CHS) vulnerable to SQL injection"
    }

    JVNDB-2023-001320

    Vulnerability from jvndb - Published: 2023-03-22 13:41 - Updated:2024-06-04 17:00
    Severity
    Summary
    Multiple vulnerabilities in Contec CONPROSYS IoT Gateway products
    Details
    CONPROSYS IoT Gateway products provided by Contec CO.,LTD. contain multiple vulnerabilities listed below. * OS Command Injection (CWE-78) - CVE-2023-27917 Network Maintenance page validates input values improperly, resulting in OS command injection. * Inadequate Encryption Strength (CWE-326) - CVE-2023-27389 Firmware update file contains a firmware image encrypted, which can be decrypted by examining the bundled install script and a little more work. * Improper Access Control (CWE-284) - CVE-2023-23575 Network Maintenance page should be available only to administrative users, but the device fails to restrict access.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001320.html",
      "dc:date": "2024-06-04T17:00+09:00",
      "dcterms:issued": "2023-03-22T13:41+09:00",
      "dcterms:modified": "2024-06-04T17:00+09:00",
      "description": "CONPROSYS IoT Gateway products provided by Contec CO.,LTD. contain multiple vulnerabilities listed below.\r\n\r\n* OS Command Injection (CWE-78) - CVE-2023-27917\r\nNetwork Maintenance page validates input values improperly, resulting in OS command injection.\r\n* Inadequate Encryption Strength (CWE-326) - CVE-2023-27389\r\nFirmware update file contains a firmware image encrypted, which can be decrypted by examining the bundled install script and a little more work.\r\n* Improper Access Control (CWE-284) - CVE-2023-23575\r\nNetwork Maintenance page should be available only to administrative users, but the device fails to restrict access.",
      "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001320.html",
      "sec:cpe": [
        {
          "#text": "cpe:/o:contec:cps-mc341-a1-111_firmware",
          "@product": "CPS-MC341-A1-111",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mc341-adsc1-111_firmware",
          "@product": "CPS-MC341-ADSC1-111",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mc341-adsc1-931_firmware",
          "@product": "CPS-MC341-ADSC1-931",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mc341-adsc2-111_firmware",
          "@product": "CPS-MC341-ADSC2-111",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mc341-ds1-111_firmware",
          "@product": "CPS-MC341-DS1-111",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mc341-ds11-111_firmware",
          "@product": "CPS-MC341-DS11-111",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mc341-ds2-911_firmware",
          "@product": "CPS-MC341-DS2-911",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mc341g-adsc1-110_firmwar",
          "@product": "CPS-MC341G-ADSC1-110",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mc341q-adsc1-111_firmware",
          "@product": "CPS-MC341Q-ADSC1-111",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mcs341-ds1-111_firmware",
          "@product": "CPS-MCS341-DS1-111",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mcs341-ds1-131_firmware",
          "@product": "CPS-MCS341-DS1-131",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mcs341g-ds1-130_firmware",
          "@product": "CPS-MCS341G-DS1-130",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mcs341g5-ds1-130_firmware",
          "@product": "CPS-MCS341G5-DS1-130",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mcs341q-ds1-131_firmware",
          "@product": "CPS-MCS341Q-DS1-131",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mg341-adsc1-111_firmware",
          "@product": "CPS-MG341-ADSC1-111",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mg341-adsc1-931_firmware",
          "@product": "CPS-MG341-ADSC1-931",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mg341g-adsc1-111_firmware",
          "@product": "CPS-MG341G-ADSC1-111",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mg341g-adsc1-930_firmware",
          "@product": "CPS-MG341G-ADSC1-930",
          "@vendor": "Contec",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/o:contec:cps-mg341g5-adsc1-931_firmware",
          "@product": "CPS-MG341G5-ADSC1-931",
          "@vendor": "Contec",
          "@version": "2.2"
        }
      ],
      "sec:cvss": {
        "@score": "8.8",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2023-001320",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/vu/JVNVU96198617/index.html",
          "@id": "JVNVU#96198617",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-27917",
          "@id": "CVE-2023-27917",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-27389",
          "@id": "CVE-2023-27389",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-23575",
          "@id": "CVE-2023-23575",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-23575",
          "@id": "CVE-2023-23575",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-27389",
          "@id": "CVE-2023-27389",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-27917",
          "@id": "CVE-2023-27917",
          "@source": "NVD"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/284.html",
          "@id": "CWE-284",
          "@title": "Improper Access Control(CWE-284)"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/326.html",
          "@id": "CWE-326",
          "@title": "Inadequate Encryption Strength(CWE-326)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-78",
          "@title": "OS Command Injection(CWE-78)"
        }
      ],
      "title": "Multiple vulnerabilities in Contec CONPROSYS IoT Gateway products"
    }

    JVNDB-2023-001108

    Vulnerability from jvndb - Published: 2023-01-24 13:38 - Updated:2023-01-24 13:38
    Severity
    Summary
    Contec CONPROSYS HMI System (CHS) vulnerable to multiple SQL injections
    Details
    CONPROSYS HMI System (CHS) provided by CONTEC CO.,LTD. contains multiple SQL injection vulnerabilities (CWE-89). Mosin from ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity, Inc., reported these vulnerabilities to Contec Co., Ltd. Contec Co., Ltd. reported the issues to JPCERT/CC in order to notify the solutions to the users through JVN.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001108.html",
      "dc:date": "2023-01-24T13:38+09:00",
      "dcterms:issued": "2023-01-24T13:38+09:00",
      "dcterms:modified": "2023-01-24T13:38+09:00",
      "description": "CONPROSYS HMI System (CHS) provided by CONTEC CO.,LTD. contains multiple SQL injection vulnerabilities (CWE-89).\r\n\r\nMosin from ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity, Inc., reported these vulnerabilities to Contec Co., Ltd.\r\nContec Co., Ltd. reported the issues to JPCERT/CC in order to notify the solutions to the users through JVN.",
      "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001108.html",
      "sec:cpe": {
        "#text": "cpe:/a:contec:conprosys_hmi_system",
        "@product": "CONPROSYS HMI System (CHS)",
        "@vendor": "Contec",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "4.3",
        "@severity": "Medium",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2023-001108",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU97195023/index.html",
          "@id": "JVNVU#97195023",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-22324",
          "@id": "CVE-2023-22324",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-22324",
          "@id": "CVE-2023-22324",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-89",
          "@title": "SQL Injection(CWE-89)"
        }
      ],
      "title": "Contec CONPROSYS HMI System (CHS) vulnerable to multiple SQL injections"
    }

    CVE-2025-34081 (GCVE-0-2025-34081)

    Vulnerability from nvd – Published: 2025-07-01 17:56 – Updated: 2025-11-21 19:24
    VLAI
    Title
    CONPROSYS HMI System (CHS) < 3.7.7 Exposed PHP Debug Info
    Summary
    The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may contain sensitive data useful for an attacker.This issue affects CONPROSYS HMI System (CHS): before 3.7.7.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-215 - Insertion of Sensitive Information Into Debugging Code
    Assigner
    References
    Impacted products
    Vendor Product Version
    Contec Co.,Ltd. CONPROSYS HMI System (CHS) Affected: 0 , < 3.7.7 (semver)
    Create a notification for this product.
    Credits
    Alex Williams of Converge Technology Solutions
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-34081",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-01T18:48:45.941957Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-01T18:48:56.610Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co.,Ltd.",
              "versions": [
                {
                  "lessThan": "3.7.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:contec:conprosys_hmi_system:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.7.7",
                      "versionStartIncluding": "0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alex Williams of Converge Technology Solutions"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may contain sensitive data useful for an attacker.\u003cp\u003eThis issue affects CONPROSYS HMI System (CHS): before 3.7.7.\u003c/p\u003e"
                }
              ],
              "value": "The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may contain sensitive data useful for an attacker.This issue affects CONPROSYS HMI System (CHS): before 3.7.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-215",
                  "description": "CWE-215 Insertion of Sensitive Information Into Debugging Code",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-21T19:24:57.237Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://jvn.jp/en/vu/JVNVU92266386/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/conprosys-hmi-system-exposed-php-debug-info"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CONPROSYS HMI System (CHS) \u003c 3.7.7 Exposed PHP Debug Info",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2025-34081",
        "datePublished": "2025-07-01T17:56:56.073Z",
        "dateReserved": "2025-04-15T19:15:22.551Z",
        "dateUpdated": "2025-11-21T19:24:57.237Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-34080 (GCVE-0-2025-34080)

    Vulnerability from nvd – Published: 2025-07-01 17:51 – Updated: 2025-11-21 19:25
    VLAI
    Title
    CONPROSYS HMI System (CHS) < 3.7.7 Reflected Cross-Site Scripting
    Summary
    The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functionality that could allow reflected execution of scripts in the browser on interaction.This issue affects CONPROSYS HMI System (CHS): before 3.7.7.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Contec Co.,Ltd. CONPROSYS HMI System (CHS) Affected: 0 , < 3.7.7 (semver)
    Create a notification for this product.
    Credits
    Alex Williams of Converge Technology Solutions
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-34080",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-01T18:47:11.611812Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-01T18:47:23.334Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "getqsetting.php"
              ],
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co.,Ltd.",
              "versions": [
                {
                  "lessThan": "3.7.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:contec:conprosys_hmi_system:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.7.7",
                      "versionStartIncluding": "0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alex Williams of Converge Technology Solutions"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functionality that could allow reflected execution of scripts in the browser on interaction.\u003cp\u003eThis issue affects CONPROSYS HMI System (CHS): before 3.7.7.\u003c/p\u003e"
                }
              ],
              "value": "The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functionality that could allow reflected execution of scripts in the browser on interaction.This issue affects CONPROSYS HMI System (CHS): before 3.7.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-21T19:25:27.043Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://jvn.jp/en/vu/JVNVU92266386/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/conprosys-hmi-system-reflected-xss"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CONPROSYS HMI System (CHS) \u003c 3.7.7 Reflected Cross-Site Scripting",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2025-34080",
        "datePublished": "2025-07-01T17:51:53.979Z",
        "dateReserved": "2025-04-15T19:15:22.550Z",
        "dateUpdated": "2025-11-21T19:25:27.043Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-29154 (GCVE-0-2023-29154)

    Vulnerability from nvd – Published: 2023-06-01 00:00 – Updated: 2025-01-09 19:24
    VLAI
    Summary
    SQL injection vulnerability exists in the CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may execute an arbitrary SQL command via specially crafted input to the query setting page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • SQL Injection
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: versions prior to 3.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:00:15.588Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29154",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T19:24:32.817341Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T19:24:43.251Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 3.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability exists in the CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may execute an arbitrary SQL command via specially crafted input to the query setting page."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
            },
            {
              "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-29154",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T19:24:43.251Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28824 (GCVE-0-2023-28824)

    Vulnerability from nvd – Published: 2023-06-01 00:00 – Updated: 2025-01-09 19:29
    VLAI
    Summary
    Server-side request forgery vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may bypass the database restriction set on the query setting page, and connect to a user unintended database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Server-side request forgery
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: versions prior to 3.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:51:38.483Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.9,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28824",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T19:29:12.150296Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-918",
                    "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T19:29:17.173Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 3.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Server-side request forgery vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may bypass the database restriction set on the query setting page, and connect to a user unintended database."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Server-side request forgery",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
            },
            {
              "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-28824",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T19:29:17.173Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28713 (GCVE-0-2023-28713)

    Vulnerability from nvd – Published: 2023-06-01 00:00 – Updated: 2025-01-09 19:30
    VLAI
    Summary
    Plaintext storage of a password exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. Because account information of the database is saved in a local file in plaintext, a user who can access the PC where the affected product is installed can obtain the information. As a result, information in the database may be obtained and/or altered by the user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Plaintext storage of a password
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: versions prior to 3.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:43:23.758Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28713",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T19:30:21.235750Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-312",
                    "description": "CWE-312 Cleartext Storage of Sensitive Information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T19:30:31.500Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 3.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Plaintext storage of a password exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. Because account information of the database is saved in a local file in plaintext, a user who can access the PC where the affected product is installed can obtain the information. As a result, information in the database may be obtained and/or altered by the user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Plaintext storage of a password",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
            },
            {
              "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-28713",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T19:30:31.500Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28657 (GCVE-0-2023-28657)

    Vulnerability from nvd – Published: 2023-06-01 00:00 – Updated: 2025-01-09 19:32
    VLAI
    Summary
    Improper access control vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user of the PC where the affected product is installed may gain an administrative privilege. As a result, information regarding the product may be obtained and/or altered by the user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Improper access control
    • CWE-862 - Missing Authorization
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: versions prior to 3.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:43:23.661Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28657",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T19:32:06.363729Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T19:32:38.643Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 3.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user of the PC where the affected product is installed may gain an administrative privilege. As a result, information regarding the product may be obtained and/or altered by the user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper access control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
            },
            {
              "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-28657",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T19:32:38.643Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28651 (GCVE-0-2023-28651)

    Vulnerability from nvd – Published: 2023-06-01 00:00 – Updated: 2025-01-09 20:52
    VLAI
    Summary
    Cross-site scripting vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. If a user who can access the affected product with an administrative privilege configures specially crafted settings, an arbitrary script may be executed on the web browser of the other user who is accessing the affected product with an administrative privilege.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: versions prior to 3.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:43:23.556Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.8,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28651",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T20:52:23.669263Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T20:52:29.606Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 3.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. If a user who can access the affected product with an administrative privilege configures specially crafted settings, an arbitrary script may be executed on the web browser of the other user who is accessing the affected product with an administrative privilege."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
            },
            {
              "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-28651",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T20:52:29.606Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28399 (GCVE-0-2023-28399)

    Vulnerability from nvd – Published: 2023-06-01 00:00 – Updated: 2025-01-09 20:53
    VLAI
    Summary
    Incorrect permission assignment for critical resource exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. ACL (Access Control List) is not appropriately set to the local folder where the affected product is installed, therefore a wide range of privileges is permitted to a user of the PC where the affected product is installed. As a result, the user may be able to destroy the system and/or execute a malicious program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Incorrect permission assignment for critical resource
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: versions prior to 3.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T12:38:25.168Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28399",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T20:53:17.563643Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-732",
                    "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T20:53:21.940Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 3.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Incorrect permission assignment for critical resource exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. ACL (Access Control List) is not appropriately set to the local folder where the affected product is installed, therefore a wide range of privileges is permitted to a user of the PC where the affected product is installed. As a result, the user may be able to destroy the system and/or execute a malicious program."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect permission assignment for critical resource",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
            },
            {
              "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-28399",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T20:53:21.940Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-2758 (GCVE-0-2023-2758)

    Vulnerability from nvd – Published: 2023-05-31 14:09 – Updated: 2025-01-09 20:26
    VLAI
    Title
    Contec CONPROSYS HMI System (CHS) v3.5.2 Denial of Service
    Summary
    A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Contec CONPROSYS HMI System Affected: 0 , ≤ 3.5.2 (custom)
    Create a notification for this product.
    Date Public
    2023-05-31 14:08
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:33:05.476Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2023-21"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/index.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2758",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T20:25:29.496343Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T20:26:25.295Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CONPROSYS HMI System",
              "vendor": "Contec",
              "versions": [
                {
                  "lessThanOrEqual": "3.5.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-05-31T14:08:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time."
                }
              ],
              "value": "A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-799",
                  "description": "CWE-799",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-31T14:09:49.809Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2023-21"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/index.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Contec CONPROSYS HMI System (CHS) v3.5.2 Denial of Service",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2023-2758",
        "datePublished": "2023-05-31T14:09:49.809Z",
        "dateReserved": "2023-05-17T12:46:36.673Z",
        "dateUpdated": "2025-01-09T20:26:25.295Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22324 (GCVE-0-2023-22324)

    Vulnerability from nvd – Published: 2023-01-30 00:00 – Updated: 2025-03-28 14:08
    VLAI
    Summary
    SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier allows a remote authenticated attacker to execute an arbitrary SQL command. As a result, information stored in the database may be obtained.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • SQL Injection
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: Ver.3.5.0 and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:07:06.179Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c\u0026downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230124_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU97195023/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22324",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-28T14:07:42.736462Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T14:08:12.248Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.3.5.0 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier allows a remote authenticated attacker to execute an arbitrary SQL command. As a result, information stored in the database may be obtained."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-30T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c\u0026downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b"
            },
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230124_en.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU97195023/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-22324",
        "datePublished": "2023-01-30T00:00:00.000Z",
        "dateReserved": "2022-12-28T00:00:00.000Z",
        "dateUpdated": "2025-03-28T14:08:12.248Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22373 (GCVE-0-2023-22373)

    Vulnerability from nvd – Published: 2023-01-20 00:00 – Updated: 2025-04-03 20:04
    VLAI
    Summary
    Cross-site scripting vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to inject an arbitrary script and obtain the sensitive information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: Ver.3.4.5 and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:07:06.504Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c\u0026downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU96873821"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22373",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-02T15:29:32.131634Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T20:04:31.151Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.3.4.5 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to inject an arbitrary script and obtain the sensitive information."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-20T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c\u0026downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b"
            },
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU96873821"
            },
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-22373",
        "datePublished": "2023-01-20T00:00:00.000Z",
        "dateReserved": "2022-12-20T00:00:00.000Z",
        "dateUpdated": "2025-04-03T20:04:31.151Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22339 (GCVE-0-2023-22339)

    Vulnerability from nvd – Published: 2023-01-20 00:00 – Updated: 2025-04-03 20:03
    VLAI
    Summary
    Improper access control vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to bypass access restriction and obtain the server certificate including the private key of the product.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper access control
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: Ver.3.4.5 and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:07:06.134Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c\u0026downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU96873821"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22339",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-03T20:03:37.484856Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T20:03:53.564Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.3.4.5 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to bypass access restriction and obtain the server certificate including the private key of the product."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper access control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-20T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c\u0026downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b"
            },
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU96873821"
            },
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-22339",
        "datePublished": "2023-01-20T00:00:00.000Z",
        "dateReserved": "2022-12-20T00:00:00.000Z",
        "dateUpdated": "2025-04-03T20:03:53.564Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22334 (GCVE-0-2023-22334)

    Vulnerability from nvd – Published: 2023-01-20 00:00 – Updated: 2025-04-03 15:18
    VLAI
    Summary
    Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to obtain user credentials information via a man-in-the-middle attack.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Use of password hash instead of password for authentication
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: Ver.3.4.5 and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:07:06.217Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c\u0026downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU96873821"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22334",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-03T15:18:39.362291Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-287",
                    "description": "CWE-287 Improper Authentication",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T15:18:44.743Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.3.4.5 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to obtain user credentials information via a man-in-the-middle attack."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Use of password hash instead of password for authentication",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-20T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c\u0026downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b"
            },
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU96873821"
            },
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-22334",
        "datePublished": "2023-01-20T00:00:00.000Z",
        "dateReserved": "2022-12-20T00:00:00.000Z",
        "dateUpdated": "2025-04-03T15:18:44.743Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22331 (GCVE-0-2023-22331)

    Vulnerability from nvd – Published: 2023-01-20 00:00 – Updated: 2025-04-03 17:58
    VLAI
    Summary
    Use of default credentials vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to alter user credentials information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Use of default credentials
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: Ver.3.4.5 and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:07:06.252Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c\u0026downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU96873821"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22331",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-03T17:57:41.016834Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-269",
                    "description": "CWE-269 Improper Privilege Management",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T17:58:46.888Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.3.4.5 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Use of default credentials vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to alter user credentials information."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Use of default credentials",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-20T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c\u0026downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b"
            },
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU96873821"
            },
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-22331",
        "datePublished": "2023-01-20T00:00:00.000Z",
        "dateReserved": "2022-12-20T00:00:00.000Z",
        "dateUpdated": "2025-04-03T17:58:46.888Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-34081 (GCVE-0-2025-34081)

    Vulnerability from cvelistv5 – Published: 2025-07-01 17:56 – Updated: 2025-11-21 19:24
    VLAI
    Title
    CONPROSYS HMI System (CHS) < 3.7.7 Exposed PHP Debug Info
    Summary
    The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may contain sensitive data useful for an attacker.This issue affects CONPROSYS HMI System (CHS): before 3.7.7.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-215 - Insertion of Sensitive Information Into Debugging Code
    Assigner
    References
    Impacted products
    Vendor Product Version
    Contec Co.,Ltd. CONPROSYS HMI System (CHS) Affected: 0 , < 3.7.7 (semver)
    Create a notification for this product.
    Credits
    Alex Williams of Converge Technology Solutions
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-34081",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-01T18:48:45.941957Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-01T18:48:56.610Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co.,Ltd.",
              "versions": [
                {
                  "lessThan": "3.7.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:contec:conprosys_hmi_system:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.7.7",
                      "versionStartIncluding": "0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alex Williams of Converge Technology Solutions"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may contain sensitive data useful for an attacker.\u003cp\u003eThis issue affects CONPROSYS HMI System (CHS): before 3.7.7.\u003c/p\u003e"
                }
              ],
              "value": "The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may contain sensitive data useful for an attacker.This issue affects CONPROSYS HMI System (CHS): before 3.7.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-215",
                  "description": "CWE-215 Insertion of Sensitive Information Into Debugging Code",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-21T19:24:57.237Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://jvn.jp/en/vu/JVNVU92266386/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/conprosys-hmi-system-exposed-php-debug-info"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CONPROSYS HMI System (CHS) \u003c 3.7.7 Exposed PHP Debug Info",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2025-34081",
        "datePublished": "2025-07-01T17:56:56.073Z",
        "dateReserved": "2025-04-15T19:15:22.551Z",
        "dateUpdated": "2025-11-21T19:24:57.237Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-34080 (GCVE-0-2025-34080)

    Vulnerability from cvelistv5 – Published: 2025-07-01 17:51 – Updated: 2025-11-21 19:25
    VLAI
    Title
    CONPROSYS HMI System (CHS) < 3.7.7 Reflected Cross-Site Scripting
    Summary
    The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functionality that could allow reflected execution of scripts in the browser on interaction.This issue affects CONPROSYS HMI System (CHS): before 3.7.7.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Contec Co.,Ltd. CONPROSYS HMI System (CHS) Affected: 0 , < 3.7.7 (semver)
    Create a notification for this product.
    Credits
    Alex Williams of Converge Technology Solutions
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-34080",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-01T18:47:11.611812Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-01T18:47:23.334Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "getqsetting.php"
              ],
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co.,Ltd.",
              "versions": [
                {
                  "lessThan": "3.7.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:contec:conprosys_hmi_system:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.7.7",
                      "versionStartIncluding": "0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alex Williams of Converge Technology Solutions"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functionality that could allow reflected execution of scripts in the browser on interaction.\u003cp\u003eThis issue affects CONPROSYS HMI System (CHS): before 3.7.7.\u003c/p\u003e"
                }
              ],
              "value": "The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functionality that could allow reflected execution of scripts in the browser on interaction.This issue affects CONPROSYS HMI System (CHS): before 3.7.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-21T19:25:27.043Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://jvn.jp/en/vu/JVNVU92266386/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/conprosys-hmi-system-reflected-xss"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CONPROSYS HMI System (CHS) \u003c 3.7.7 Reflected Cross-Site Scripting",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2025-34080",
        "datePublished": "2025-07-01T17:51:53.979Z",
        "dateReserved": "2025-04-15T19:15:22.550Z",
        "dateUpdated": "2025-11-21T19:25:27.043Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-28657 (GCVE-0-2023-28657)

    Vulnerability from cvelistv5 – Published: 2023-06-01 00:00 – Updated: 2025-01-09 19:32
    VLAI
    Summary
    Improper access control vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user of the PC where the affected product is installed may gain an administrative privilege. As a result, information regarding the product may be obtained and/or altered by the user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Improper access control
    • CWE-862 - Missing Authorization
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: versions prior to 3.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:43:23.661Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28657",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T19:32:06.363729Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T19:32:38.643Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 3.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user of the PC where the affected product is installed may gain an administrative privilege. As a result, information regarding the product may be obtained and/or altered by the user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper access control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
            },
            {
              "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-28657",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T19:32:38.643Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28399 (GCVE-0-2023-28399)

    Vulnerability from cvelistv5 – Published: 2023-06-01 00:00 – Updated: 2025-01-09 20:53
    VLAI
    Summary
    Incorrect permission assignment for critical resource exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. ACL (Access Control List) is not appropriately set to the local folder where the affected product is installed, therefore a wide range of privileges is permitted to a user of the PC where the affected product is installed. As a result, the user may be able to destroy the system and/or execute a malicious program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Incorrect permission assignment for critical resource
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: versions prior to 3.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T12:38:25.168Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28399",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T20:53:17.563643Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-732",
                    "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T20:53:21.940Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 3.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Incorrect permission assignment for critical resource exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. ACL (Access Control List) is not appropriately set to the local folder where the affected product is installed, therefore a wide range of privileges is permitted to a user of the PC where the affected product is installed. As a result, the user may be able to destroy the system and/or execute a malicious program."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect permission assignment for critical resource",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
            },
            {
              "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-28399",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T20:53:21.940Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28713 (GCVE-0-2023-28713)

    Vulnerability from cvelistv5 – Published: 2023-06-01 00:00 – Updated: 2025-01-09 19:30
    VLAI
    Summary
    Plaintext storage of a password exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. Because account information of the database is saved in a local file in plaintext, a user who can access the PC where the affected product is installed can obtain the information. As a result, information in the database may be obtained and/or altered by the user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Plaintext storage of a password
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: versions prior to 3.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:43:23.758Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28713",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T19:30:21.235750Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-312",
                    "description": "CWE-312 Cleartext Storage of Sensitive Information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T19:30:31.500Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 3.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Plaintext storage of a password exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. Because account information of the database is saved in a local file in plaintext, a user who can access the PC where the affected product is installed can obtain the information. As a result, information in the database may be obtained and/or altered by the user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Plaintext storage of a password",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
            },
            {
              "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-28713",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T19:30:31.500Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29154 (GCVE-0-2023-29154)

    Vulnerability from cvelistv5 – Published: 2023-06-01 00:00 – Updated: 2025-01-09 19:24
    VLAI
    Summary
    SQL injection vulnerability exists in the CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may execute an arbitrary SQL command via specially crafted input to the query setting page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • SQL Injection
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: versions prior to 3.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:00:15.588Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29154",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T19:24:32.817341Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T19:24:43.251Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 3.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability exists in the CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may execute an arbitrary SQL command via specially crafted input to the query setting page."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
            },
            {
              "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-29154",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T19:24:43.251Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28651 (GCVE-0-2023-28651)

    Vulnerability from cvelistv5 – Published: 2023-06-01 00:00 – Updated: 2025-01-09 20:52
    VLAI
    Summary
    Cross-site scripting vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. If a user who can access the affected product with an administrative privilege configures specially crafted settings, an arbitrary script may be executed on the web browser of the other user who is accessing the affected product with an administrative privilege.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: versions prior to 3.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:43:23.556Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.8,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28651",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T20:52:23.669263Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T20:52:29.606Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 3.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. If a user who can access the affected product with an administrative privilege configures specially crafted settings, an arbitrary script may be executed on the web browser of the other user who is accessing the affected product with an administrative privilege."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
            },
            {
              "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-28651",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T20:52:29.606Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28824 (GCVE-0-2023-28824)

    Vulnerability from cvelistv5 – Published: 2023-06-01 00:00 – Updated: 2025-01-09 19:29
    VLAI
    Summary
    Server-side request forgery vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may bypass the database restriction set on the query setting page, and connect to a user unintended database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Server-side request forgery
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: versions prior to 3.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:51:38.483Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.9,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28824",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T19:29:12.150296Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-918",
                    "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T19:29:17.173Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 3.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Server-side request forgery vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may bypass the database restriction set on the query setting page, and connect to a user unintended database."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Server-side request forgery",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf"
            },
            {
              "url": "https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-28824",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T19:29:17.173Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-2758 (GCVE-0-2023-2758)

    Vulnerability from cvelistv5 – Published: 2023-05-31 14:09 – Updated: 2025-01-09 20:26
    VLAI
    Title
    Contec CONPROSYS HMI System (CHS) v3.5.2 Denial of Service
    Summary
    A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Contec CONPROSYS HMI System Affected: 0 , ≤ 3.5.2 (custom)
    Create a notification for this product.
    Date Public
    2023-05-31 14:08
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:33:05.476Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2023-21"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU93372935/index.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2758",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T20:25:29.496343Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T20:26:25.295Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CONPROSYS HMI System",
              "vendor": "Contec",
              "versions": [
                {
                  "lessThanOrEqual": "3.5.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-05-31T14:08:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time."
                }
              ],
              "value": "A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-799",
                  "description": "CWE-799",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-31T14:09:49.809Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2023-21"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU93372935/index.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Contec CONPROSYS HMI System (CHS) v3.5.2 Denial of Service",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2023-2758",
        "datePublished": "2023-05-31T14:09:49.809Z",
        "dateReserved": "2023-05-17T12:46:36.673Z",
        "dateUpdated": "2025-01-09T20:26:25.295Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22324 (GCVE-0-2023-22324)

    Vulnerability from cvelistv5 – Published: 2023-01-30 00:00 – Updated: 2025-03-28 14:08
    VLAI
    Summary
    SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier allows a remote authenticated attacker to execute an arbitrary SQL command. As a result, information stored in the database may be obtained.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • SQL Injection
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Contec Co., Ltd. CONPROSYS HMI System (CHS) Affected: Ver.3.5.0 and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:07:06.179Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c\u0026downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230124_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU97195023/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22324",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-28T14:07:42.736462Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T14:08:12.248Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CONPROSYS HMI System (CHS)",
              "vendor": "Contec Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.3.5.0 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier allows a remote authenticated attacker to execute an arbitrary SQL command. As a result, information stored in the database may be obtained."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-30T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c\u0026downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b"
            },
            {
              "url": "https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230124_en.pdf"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU97195023/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-22324",
        "datePublished": "2023-01-30T00:00:00.000Z",
        "dateReserved": "2022-12-28T00:00:00.000Z",
        "dateUpdated": "2025-03-28T14:08:12.248Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }