[Japanese]
|
JVNDB-2021-000016
|
Multiple vulnerabilities in SolarView Compact
|
SolarView Compact provided by Contec Co., Ltd. contains multiple vulnerabilities listed below.
*Exposure of information through directory listing (CWE-548) - CVE-2021-20656
*Improper access control (CWE-284) - CVE-2021-20657
*OS command injection (CWE-78) - CVE-2021-20658
*Unrestricted upload of file with dangerous type (CWE-434) - CVE-2021-20659
*Cross-site scripting (CWE-79) - CVE-2021-20660
*Directory traversal (CWE-23) - CVE-2021-20661
*Missing authentication for critical function (CWE-306) - CVE-2021-20662
*Using components with known vulnerabilities (CWE-1035) - CVE-2011-0762, CVE-2011-4362, CVE-2013-4508, CVE-2013-4559, CVE-2013-4560, CVE-2014-2323, CVE-2014-2324
The product uses previous versions of vsfpd and lighttpd with known vulnerabilities.
CVE-2021-20656
Kouichirou Okada, Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2021-20657, CVE-2021-20658
Takayuki Sasak, Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2021-20659, CVE-2021-20660, CVE-2021-20661, CVE-2021-20662
Kouichirou Okada, Takayuki Sasaki, Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Kouichirou Okada, Katsunari Yoshioka of Yokohama National University reported to IPA that CVE-2011-0762, CVE-2011-4362, CVE-2013-4508, CVE-2013-4559, CVE-2013-4560, CVE-2014-2323 and CVE-2014-2324 vulnerabilities still exist in the product. JPCERT/CC coordinated with the developer.
|
CVSS V3 Severity: Base Metrics 6.3 (Medium) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
CVSS V2 Severity: Base Metrics 5.8 (Medium) [IPA Score]
- Access Vector: Adjacent Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20658
|
CVSS V3 Severity:
Base Metrics:
3.5 (Low) [JPCERT/CC Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.7 (Low)
[JPCERT/CC Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20656
|
CVSS V3 Severity:
Base Metrics:
4.6 (Medium) [JPCERT/CC Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.1 (Medium)
[JPCERT/CC Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20657
|
CVSS V3 Severity:
Base Metrics:
5.5 (Medium) [JPCERT/CC Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: Low
CVSS V2 Severity:Base Metrics:
5.2 (Medium)
[JPCERT/CC Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20659
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [JPCERT/CC Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.3 (Medium)
[JPCERT/CC Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20660
|
CVSS V3 Severity:
Base Metrics:
6.3 (Medium) [JPCERT/CC Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: High
CVSS V2 Severity:Base Metrics:
4.1 (Medium)
[JPCERT/CC Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20661
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [JPCERT/CC Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.3 (Low)
[JPCERT/CC Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20662
|
|
Contec
- SolarView Compact SV-CPT-MC310 prior to Ver.6.5
|
|
*An attacker who can log in to this product may obtain the information inside the system, e.g. directories and/or file configurations - CVE-2021-20656
*An attacker who can log in to the product may obtain and/or alter the setting information without the access privileges. Also, an attacker with the administrative privilege may log in to the product and perform an unintended operation - CVE-2021-20657
*An attacker may execute an arbitrary OS command with the web server privilege. Also, an attacker with the administrative privilege may log in to the product and perform an unintended operation - CVE-2021-20658
*An attacker who can log in to this product may upload arbitrary files. If the file is PHP script, an attacker may execute arbitrary code - CVE-2021-20659
*An arbitrary script may be executed on a logged-in user's web browser - CVE-2021-20660
*An attacker who can log in to this product may delete arbitrary files and/or directories on the server - CVE-2021-20661
*An attacker who can log in to this product may alter the setting information without the access privileges - CVE-2021-20662
*An attack may be conducted by exploiting known vulnerabilities - CVE-2011-0762, CVE-2011-4362, CVE-2013-4508, CVE-2013-4559, CVE-2013-4560, CVE-2014-2323, CVE-2014-2324
|
[Update the Firmware]
Update the firmware to the latest version according to the information provided by the developer.
These vulnerabilities have been already addressed in the following firmware version.
|
Contec
|
- Information Exposure(CWE-200) [IPA Evaluation]
- Path Traversal(CWE-22) [IPA Evaluation]
- Permissions(CWE-264) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2011-0762
- CVE-2011-4362
- CVE-2013-4508
- CVE-2013-4559
- CVE-2013-4560
- CVE-2014-2323
- CVE-2014-2324
- CVE-2021-20656
- CVE-2021-20657
- CVE-2021-20658
- CVE-2021-20659
- CVE-2021-20660
- CVE-2021-20661
- CVE-2021-20662
|
- JVN : JVN#37417423
- National Vulnerability Database (NVD) : CVE-2011-0762
- National Vulnerability Database (NVD) : CVE-2011-4362
- National Vulnerability Database (NVD) : CVE-2013-4508
- National Vulnerability Database (NVD) : CVE-2013-4559
- National Vulnerability Database (NVD) : CVE-2013-4560
- National Vulnerability Database (NVD) : CVE-2014-2323
- National Vulnerability Database (NVD) : CVE-2014-2324
- National Vulnerability Database (NVD) : CVE-2021-20656
- National Vulnerability Database (NVD) : CVE-2021-20657
- National Vulnerability Database (NVD) : CVE-2021-20658
- National Vulnerability Database (NVD) : CVE-2021-20659
- National Vulnerability Database (NVD) : CVE-2021-20660
- National Vulnerability Database (NVD) : CVE-2021-20661
- National Vulnerability Database (NVD) : CVE-2021-20662
|
- [2021/02/19]
Web page was published
- [2021/02/25]
Impact : Content was modified
|