Published:2022/05/26  Last Updated:2022/06/09

Multiple vulnerabilities in CONTEC SolarView Compact


SolarView Compact provided by CONTEC CO., LTD. contains multiple vulnerabilities.

Products Affected


  • SV-CPT-MC310 versions prior to Ver.7.21
  • SV-CPT-MC310F versions prior to Ver.7.21
CVE-2022-29298, CVE-2022-29302
  • SV-CPT-MC310 versions prior to Ver.6.50
  • SV-CPT-MC310F versions prior to Ver.6.50


SolarView Compact provided by CONTEC CO., LTD. is PV Measurement System. SolarView Compact contains multiple vulnerabilities listed below.

  • OS command injection (CWE-78) - CVE-2022-29303
    Improper validation of input values on the send test mail console of the product's web server may result in OS command injection.
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
  • Directory traversal (CWE-23) - CVE-2022-29298
    Improper validation of a URL on the download page of the product's web server may allow a remote attacker to view and obtain an arbitrary file.
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
  • Information disclosure (CWE-200) - CVE-2022-29302
    The hidden page which enables to edit the product's web server contents exists in the product's web server, and a remote attacker to read and/or alter an arbitrary file on the web server via the hidden page.
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score: 6.5


Exploiting these vulnerabilities may result in the impacts listed below.

  • An attacker who can access the product settings may execute an arbitrary OS command - CVE-2022-29303
  • A remote attacker may obtain an arbitrary file - CVE-2022-29298
  • A remote attacker may view and/or altered an arbitrary file on the web server - CVE-2022-29302


Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
These vulnerabilities have been already addressed in the following firmware versions.

  • SV-CPT-MC310 Ver.7.21
  • SV-CPT-MC310F Ver.7.21
Apply the workaround
Applying the following workarounds may mitigate the impacts of these vulnerabilities.
  • Disconnect from network if the product being used in the standalone environment
  • Setup a firewall and run the product behind it
  • Configure the product in the trusted and closed network
  • Choose "User authentications required in all menus" under "User authentication target settings" in "User account settings"
  • Change default credentials


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC


Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
JVN iPedia

Update History

Information under the section [Title], [Overview], [Products Affected], [Description], [Impact], and [Solution] was updated.