JVNVU#92145493
CONPROSYS HMI System(CHS) vulnerable to SQL injection
Overview
CONPROSYS HMI System(CHS) provided by Contec Co., Ltd. contains an SQL injection vulnerability.
Products Affected
- CONPROSYS HMI System(CHS) Ver.3.5.1 and earlier
Description
CONPROSYS HMI System(CHS) provided by Contec Co., Ltd. contains an SQL injection vulnerability (CWE-89, CVE-2023-1658).
Impact
Sending a specially crafted parameter to HTTP header may alter an SQL query which is to be executed. As a result, the information stored in the product may be obtained.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer released Ver.3.5.2 that contains a fix for this vulnerability.
Apply workaround
Applying the following workarounds may mitigate the impact of this vulnerability.
- Set Firewall and run the product behind it
- Restrict access to the product and only allow the access from the trusted network
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Tenable Network Security reported this vulnerability to the developer.
JPCERT/CC coordinated with the reporter and the developer.