[Japanese]

JVNDB-2022-002770

Contec SolarView Compact vulnerable to cross-site scripting

Overview

SolarView Compact provided by Contec Co., Ltd. is PV Measurement System.
SolarView Compact contains a cross-site scripting vulnerability (CWE-79, CVE-2022-44355) in Check Network Communication Page of the product's web server.

As of 2022 December 5, a Proof-of-Concept (PoC) code exploiting this vulnerability has already been made public.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-44355

CVSS V3 Severity:
Base Metrics:6.1 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
In the case where the product's firmware versions are SV-CPT-MC310 prior to Ver.7.24 or SV-CPT-MC310F prior to Ver.7.24, 'Privileges Required(PR)' is analyzed as 'None (N)', therefore CVSSv3 score is as above.
Affected Products


Contec
  • SolarView Compact firmware SV-CPT-MC310 prior to Ver.8.02
  • SolarView Compact firmware SV-CPT-MC310F prior to Ver.8.02

Impact

An arbitrary script may be executed on a logged-in user's web browser.

The developer states that users accessing the product without login may be affected by this vulnerability if the product's firmware versions are SV-CPT-MC310 prior to Ver.7.24 or SV-CPT-MC310F prior to Ver.7.24.
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
This vulnerability has been already addressed in the following firmware versions.

* SolarView Compact
* SV-CPT-MC310 Ver.8.02
* SV-CPT-MC310F Ver.8.02

[Apply the workaround]
Applying the following workarounds may mitigate the impacts of this vulnerability.
* Disconnect from network if the product is used in the standalone environment
* Setup a firewall and run the product behind it
* Configure the product in the trusted and closed network
* When the product's firmware versions are SV-CPT-MC310 prior to Ver.7.24 or SV-CPT-MC310F prior to Ver.7.24, choose "User authentications required in all menus" under "User authentication target settings" in "User account settings"
* Change default credentials
Vendor Information

Contec
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [Other]
CVE (What is CVE?)

  1. CVE-2022-44355
References

  1. JVN : JVNVU#93526386
  2. National Vulnerability Database (NVD) : CVE-2022-44355
Revision History

  • [2022/12/06]
      Web page was published
  • [2024/06/04]
      Affected Products : Products were modified 
      References : Content was added

Date Public2022/12/05
Date First Published2022/12/06
Date Last Updated2024/06/04