Contec CONPROSYS HMI System (CHS) vulnerable to multiple SQL injections


CONPROSYS HMI System (CHS) provided by CONTEC CO.,LTD. contains multiple SQL injection vulnerabilities (CWE-89).

Mosin from ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity, Inc., reported these vulnerabilities to Contec Co., Ltd.
Contec Co., Ltd. reported the issues to JPCERT/CC in order to notify the solutions to the users through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

  • CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier


A remote attacker who can log into the product may execute an arbitrary SQL command. Information stored in the database may be obtained by a remote attacker.

This analysis assumes that an attacker exploits an affected product directly.

[Update the software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

CWE (What is CWE?)

  1. SQL Injection(CWE-89) [Other]
CVE (What is CVE?)

  1. CVE-2023-22324

  1. JVN : JVNVU#97195023
Revision History

  • [2023/01/24]
      Web page was published
  • [2023/01/26]
      Vendor Information : Content was modified