JVNDB-2022-002770

Contec SolarView Compact vulnerable to cross-site scripting

SolarView Compact provided by Contec Co., Ltd. is PV Measurement System.
SolarView Compact contains a cross-site scripting vulnerability (CWE-79, CVE-2022-44355) in Check Network Communication Page of the product's web server.

As of 2022 December 5, a Proof-of-Concept (PoC) code exploiting this vulnerability has already been made public.

Contec

• SolarView Compact SV-CPT-MC310 prior to Ver.8.02
• SolarView Compact SV-CPT-MC310F prior to Ver.8.02

An arbitrary script may be executed on a logged-in user's web browser.

The developer states that users accessing the product without login may be affected by this vulnerability if the product's firmware versions are SV-CPT-MC310 prior to Ver.7.24 or SV-CPT-MC310F prior to Ver.7.24.

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
This vulnerability has been already addressed in the following firmware versions.

* SolarView Compact
* SV-CPT-MC310 Ver.8.02
* SV-CPT-MC310F Ver.8.02

[Apply the workaround]
Applying the following workarounds may mitigate the impacts of this vulnerability.
* Disconnect from network if the product is used in the standalone environment
* Setup a firewall and run the product behind it
* Configure the product in the trusted and closed network
* When the product's firmware versions are SV-CPT-MC310 prior to Ver.7.24 or SV-CPT-MC310F prior to Ver.7.24, choose "User authentications required in all menus" under "User authentication target settings" in "User account settings"
* Change default credentials

Contec

• Contec Co., Ltd. : SV-CPT-MC310 (in Japanese)
• Contec Co., Ltd. : Regarding a vulnerability in SolarView Compact (SV-CPT-MC310) (PDF) (in Japanese)

1. Cross-site Scripting(CWE-79) [Other]

1. CVE-2022-44355

1. JVN : JVNVU#93526386

• [2022/12/06]
    Web page was published