|
[Japanese]
|
JVNDB-2022-000028
|
Multiple vulnerabilities in multiple MEIKYO ELECTRIC products
|
|
Multiple MEIKYO ELECTRIC products provided by MEIKYO ELECTRIC CO.,LTD. contain multiple vulnerabilities listed below.
* Cross-site request forgery (CWE-352) - CVE-2022-27632
* Cross-site scripting (CWE-79) - CVE-2022-28717
Takayuki Sasaki of Yokohama National University reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-27632
|
CVSS V3 Severity:
Base Metrics
3.5 (Low) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-28717
|
|
|
MEIKYO ELECTRIC CO.,LTD.
- PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A
- POSE SE10-8A7B1 firmware version 1.00A to 1.20A
- TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions
- TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A
- TIME BOOT RSC-MT8F [End of Sale] all firmware versions
- TIME BOOT RSC-MT8FP [End of Sale] all firmware versions
- TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E
- WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions
- WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A
- WATCH BOOT light RPC-M5C [End of Sale] all firmware versions
- WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D
- WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions
- WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions
- WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D
- SignageRebooter RPC-M4HSi firmware version 1.00A
|
|
|
* If a user views a malicious page while logged in to the product's web interface, unintended operations may be performed - CVE-2022-27632
* An arbitrary script may be executed on the web browser of the user who is accessing the product's web interface - CVE-2022-28717
|
|
CVE-2022-27632
[Apply the Workaround]
Apply the following workaround to avoid the impacts of this vulnerability.
- Do not browse pages other than the product's web interface on the same web browser while logging in to the web interface
CVE-2022-28717
[Update the firmware]
Apply the appropriate firmware update according to the information provided by the developer.
For more information, refer to the information provided by the developer.
[Stop using the products and Switch to alternative products]
The developer states that the following products are no longer supported, and recommends to use alternative unaffected products.
- Rebooter
- WATCH BOOT nino RPC-M2C
- WATCH BOOT light RPC-M5C
- WATCH BOOT L-zero RPC-M4L
- WATCH BOOT mini RPC-M4H
- Scheduler
- TIME BOOT mini RSC-MT4H
- TIME BOOT RSC-MT8F
- TIME BOOT RSC-MT8FP
|
|
MEIKYO ELECTRIC CO.,LTD.
|
|
- Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2022-27632
- CVE-2022-28717
|
|
- JVN : JVN#58266015
|
|
- [2022/05/09]
Web page was published
|
