[Japanese]

JVNDB-2023-001400

CONPROSYS HMI System(CHS) vulnerable to SQL injection

Overview

CONPROSYS HMI System(CHS) provided by Contec Co., Ltd. contains an SQL injection vulnerability (CWE-89, CVE-2023-1658).

Tenable Network Security reported this vulnerability to the developer.
JPCERT/CC coordinated with the reporter and the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.5 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Contec
  • CONPROSYS HMI System (CHS) Ver.3.5.1 and earlier

Impact

Sending a specially crafted parameter to HTTP header may alter an SQL query which is to be executed. As a result, the information stored in the product may be obtained.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer released Ver.3.5.2 that contains a fix for this vulnerability.

[Apply workaround]
Applying the following workarounds may mitigate the impact of this vulnerability.

* Set Firewall and run the product behind it
* Restrict access to the product and only allow the access from the trusted network

For more information, refer to the information provided by the developer.
Vendor Information

Contec
CWE (What is CWE?)

  1. SQL Injection(CWE-89) [Other]
CVE (What is CVE?)

  1. CVE-2023-1658
References

  1. JVN : JVNVU#92145493
Revision History

  • [2023/04/03]
      Web page was published

Date Public2023/03/31
Date First Published2023/04/03
Date Last Updated2023/04/03