[Japanese]
|
JVNDB-2022-001923
|
Multiple vulnerabilities in CONTEC SolarView Compact
|
SolarView Compact provided by CONTEC CO., LTD. is PV Measurement System. SolarView Compact contains multiple vulnerabilities listed below.
OS command injection (CWE-78) - CVE-2022-29303
Improper validation of input values on the send test mail console of the product's web server may result in OS command injection.
Directory traversal (CWE-23) - CVE-2022-29298
Improper validation of a URL on the download page of the product's web server may allow a remote attacker to view and obtain an arbitrary file.
Information disclosure (CWE-200) - CVE-2022-29302
The hidden page which enables to edit the product's web server contents exists in the product's web server, and a remote attacker to read and/or alter an arbitrary file on the web server via the hidden page.
OS command injection (CWE-78) - CVE-2022-40881
Improper validation of input values on Check Network Communication Page of the product's web server may result in an arbitrary OS command execution.
OS command injection (CWE-78) - CVE-2023-23333
Improper validation of input values on the download page of the product's web server may result in an arbitrary OS command execution.
|
|
CVSS V3 Severity:
Base Metrics8.8 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-29303
|
CVSS V3 Severity:
Base Metrics9.8 (Critical) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-29298
|
CVSS V3 Severity:
Base Metrics6.5 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-29302
|
CVSS V3 Severity:
Base Metrics:8.8 (High) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-40881
|
CVSS V3 Severity:
Base Metrics:8.8 (High) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2023-23333
|
|
Contec
- SolarView Compact SV-CPT-MC310 versions prior to Ver.6.50 (CVE-2022-29298, CVE-2022-29302)
- SolarView Compact SV-CPT-MC310 versions prior to Ver.7.21 (CVE-2022-29303, CVE-2022-40881, CVE-2023-23333)
- SolarView Compact SV-CPT-MC310F versions prior to Ver.6.50 (CVE-2022-29298, CVE-2022-29302)
- SolarView Compact SV-CPT-MC310F versions prior to Ver.7.21 (CVE-2022-29303, CVE-2022-40881, CVE-2023-23333)
|
|
Exploiting these vulnerabilities may result in the impacts listed below.
* An attacker who can access the product settings may execute an arbitrary OS command - CVE-2022-29303, CVE-2022-40881, CVE-2023-23333
* A remote attacker may obtain an arbitrary file - CVE-2022-29298
* A remote attacker may view and/or altered an arbitrary file on the web server - CVE-2022-29302
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
These vulnerabilities have been already addressed in the following firmware versions.
* SV-CPT-MC310 Ver.7.21 and later
* SV-CPT-MC310F Ver.7.21 and later
[Apply the workaround]
Applying the following workarounds may mitigate the impacts of these vulnerabilities.
* Disconnect from network if the product being used in the standalone environment
* Setup a firewall and run the product behind it
* Configure the product in the trusted and closed network
* Choose "User authentications required in all menus" under "User authentication target settings" in "User account settings"
* Change default credentials
|
Contec
|
- OS Command Injection(CWE-78) [Other]
- Relative Path Traversal(CWE-23) [Other]
- Information Exposure(CWE-200) [Other]
|
- CVE-2022-29303
- CVE-2022-29298
- CVE-2022-29302
- CVE-2022-40881
- CVE-2023-23333
|
- JVN : JVNVU#92327282
- National Vulnerability Database (NVD) : CVE-2022-29303
- National Vulnerability Database (NVD) : CVE-2022-29298
- National Vulnerability Database (NVD) : CVE-2022-29302
- National Vulnerability Database (NVD) : CVE-2022-40881
|
- [2022/05/27]
Web page was published
- [2022/06/10]
Title was modified
Description was modified
CVSS Severity was modified
Impact was modified
Solution was modified
Affected Products were modified
References : Contents were added
CWE : Contents were added
- [2022/12/15]
Description was modified
CVSS Severity was modified
Affected Products were modified
Vendor Information was modified
Impact was modified
Solution was modified
CVE : CVE-IDs were added
References : Contents were added
[2023/02/13]
Description was modified
CVSS Severity was modified
Affected Products were modified
Vendor Information was modified
Impact was modified
References : Content was added
|