[Japanese]

JVNDB-2022-002112

CONTEC SolarView Compact vulnerable to insufficient verification in uploading files

Overview

SolarView Compact provided by CONTEC CO., LTD. is PV Measurement System.
The image file management page of SolarView Compact contains an insufficient verification vulnerability when uploadi

webray reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.ng files (CWE-20).
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Contec
  • SolarView Compact SV-CPT-MC310 Ver.7.23 and earlier
  • SolarView Compact SV-CPT-MC310F Ver.7.23 and earlier

Impact

Arbitrary PHP code may be executed if a remote authenticated attacker uploads a specially crafted PHP file.
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
This vulnerability has been already addressed in the following firmware versions.

* SolarView Compact
* SV-CPT-MC310 Ver.7.24
* SV-CPT-MC310F Ver.7.24

[Apply the workaround]
Applying the following workarounds may mitigate the impacts of this vulnerability.
* Disconnect from network if the product is used in the standalone environment
* Setup a firewall and run the product behind it
* Configure the product in the trusted and closed network
* Choose "User authentications required in all menus" under "User authentication target settings" in "User account settings"
* Change default credentials
Vendor Information

Contec
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [Other]
CVE (What is CVE?)

  1. CVE-2022-35239
References

  1. JVN : JVNVU#93696585
  2. National Vulnerability Database (NVD) : CVE-2022-35239
Revision History

  • [2022/08/03]
      Web page was published
  • [2023/03/31]
      Overview was modified
  • [2024/06/14]
      References : Content was added