JVNVU#92266386: Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)

Overview

CONPROSYS HMI System (CHS) provided by Contec Co.,Ltd. contains multiple vulnerabilities.

Products Affected

CONPROSYS HMI System (CHS) versions prior to 3.7.7

Description

CONPROSYS HMI System (CHS) provided by Contec Co.,Ltd. contains multiple vulnerabilities listed below.

Reflected cross-site scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
- CVE-2025-34021
Insertion of sensitive information into debugging code (CWE-215)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 6.9
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 5.3
- CVE-2025-34040

Impact

An arbitrary script may be executed on the web browser of the user who is accessing the product (CVE-2025-34021)
A remote unauthenticated attacker may obtain the PHP runtime information of the product (CVE-2025-34040)

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
The developer has released CONPROSYS HMI System (CHS) 3.7.7 that contains the fixes for these vulnerabilities.

Vendor Status

Vendor	Link
Contec Co.,Ltd.	Vulnerability Correction in CONPROSYS HMI System (CHS) (PDF)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Alex Williams of Converge Technology Solutions reported these vulnerabilities to Vulncheck Inc., and
Vulncheck Inc. reported these vulnerabilities to the developer.
Based on the coordination request made by the developer, JPCERT/CC coordinated with Vulncheck Inc. and the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia

JVNVU#92266386 Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)