JVNVU#93526386
Contec SolarView Compact vulnerable to cross-site scripting
Overview
SolarView Compact provided by Contec Co., Ltd. contains a cross-site scripting vulnerability.
Products Affected
- SolarView Compact
- SV-CPT-MC310 prior to Ver.8.02
- SV-CPT-MC310F prior to Ver.8.02
Description
SolarView Compact provided by Contec Co., Ltd. is PV Measurement System.
SolarView Compact contains a cross-site scripting vulnerability (CWE-79, CVE-2022-44355) in Check Network Communication Page of the product's web server.
As of 2022 December 5, a Proof-of-Concept (PoC) code exploiting this vulnerability has already been made public.
Impact
An arbitrary script may be executed on a logged-in user's web browser.
The developer states that users accessing the product without login may be affected by this vulnerability if the product's firmware versions are SV-CPT-MC310 prior to Ver.7.24 or SV-CPT-MC310F prior to Ver.7.24.
Solution
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
This vulnerability has been already addressed in the following firmware versions.
- SolarView Compact
- SV-CPT-MC310 Ver.8.02
- SV-CPT-MC310F Ver.8.02
Applying the following workarounds may mitigate the impacts of this vulnerability.
- Disconnect from network if the product is used in the standalone environment
- Setup a firewall and run the product behind it
- Configure the product in the trusted and closed network
- When the product's firmware versions are SV-CPT-MC310 prior to Ver.7.24 or SV-CPT-MC310F prior to Ver.7.24, choose "User authentications required in all menus" under "User authentication target settings" in "User account settings"
- Change default credentials
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
---|---|---|---|---|
Attack Complexity(AC) | High (H) | Low (L) | ||
Privileges Required(PR) | High (H) | Low (L) | None (N) | |
User Interaction(UI) | Required (R) | None (N) | ||
Scope(S) | Unchanged (U) | Changed (C) | ||
Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
Integrity Impact(I) | None (N) | Low (L) | High (H) | |
Availability Impact(A) | None (N) | Low (L) | High (H) |
Comment
In the case where the product's firmware versions are SV-CPT-MC310 prior to Ver.7.24 or SV-CPT-MC310F prior to Ver.7.24, 'Privileges Required(PR)' is analyzed as 'None (N)', therefore CVSSv3 score is as follows.
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 6.1 |