JVNVU#97195023
Contec CONPROSYS HMI System (CHS) vulnerable to multiple SQL injections
Overview
CONPROSYS HMI System (CHS) provided by Contec Co., Ltd. contains multiple SQL injection vulnerabilities.
Products Affected
- CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier
Description
CONPROSYS HMI System (CHS) provided by CONTEC CO.,LTD. contains multiple SQL injection vulnerabilities (CWE-89).
Impact
A remote attacker who can log into the product may execute an arbitrary SQL command. Information stored in the database may be obtained by a remote attacker.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Contec Co., Ltd. | Vulnerability Correction in CONPROSYS HMI System (CHS) (PDF) |
| Download License Agreement | Installer / Trial Software |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Comment
This analysis assumes that an attacker exploits an affected product directly.
Credit
Mosin from ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity, Inc., reported these vulnerabilities to Contec Co., Ltd.
Contec Co., Ltd. reported the issues to JPCERT/CC in order to notify the solutions to the users through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-22324 |
| JVN iPedia |
|
Update History
- 2023/01/25
- Information under the section [Vendor Status] was updated.