|
[Japanese]
|
JVNDB-2023-001774
|
Multiple vulnerabilities in SolarView Compact
|
|
SolarView Compact provided by CONTEC CO.,LTD. contains multiple vulnerabilities listed below.
* Use of hard-coded credentials (CWE-798) - CVE-2023-27512
* OS command injection in the download page (CWE-78) - CVE-2023-27514
* Buffer overflow in the multiple setting pages (CWE-120) - CVE-2023-27518
* OS command injection in the mail setting page (CWE-78) - CVE-2023-27521
* Improper access control in the system date/time setting page (CWE-284) - CVE-2023-27920
CVE-2023-27512, CVE-2023-27514, CVE-2023-27518, CVE-2023-27521
Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVE-2023-27920
CONTEC CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solutions through JVN.
|
|
CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2023-27514
|
CVSS V3 Severity:
Base Metrics8.8 (High) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2023-27521
|
CVSS V3 Severity:
Base Metrics6.5 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-27512
|
CVSS V3 Severity:
Base Metrics6.3 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2023-27518
|
CVSS V3 Severity:
Base Metrics4.3 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-27920
|
|
|
Contec
- SolarView Compact SV-CPT-MC310 Ver.8.10 or later
- SolarView Compact SV-CPT-MC310F Ver.8.10 or later
|
|
|
* A remote authenticated attacker may login to the affected product with an administrative privilege and perform an unintended operation - CVE-2023-27512
* A remote authenticated attacker may execute an arbitrary OS command - CVE-2023-27514, CVE-2023-27521
* Buffer overflow occurs on the affected product and a remote authenticated attacker may execute arbitrary code - CVE-2023-27518
* A remote authenticated attacker with a user privilege may alter system date/time of the affected product - CVE-2023-27920
|
|
[Update the software]
Update the software (firmware) to the latest version according to the information provided by the developer.
The vulnerabilities have been addressed in the following firmware versions.
- SolarView Compact
- SV-CPT-MC310 Ver.8.10 or later
- SV-CPT-MC310F Ver.8.10 or later
[Apply the workaround]
Applying the following workarounds may mitigate the impacts of these vulnerabilities.
- Disconnect the product from network
- Setup a firewall and run the product behind it
- Configure the product in the trusted and closed network
- Choose "User authentications required in all menus" under "User authentication target settings" in "User account settings"
|
|
Contec
|
|
- Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')(CWE-120) [Other]
- Improper Access Control(CWE-284) [Other]
- OS Command Injection(CWE-78) [Other]
- Use of Hard-coded Credentials(CWE-798) [Other]
|
|
- CVE-2023-27512
- CVE-2023-27514
- CVE-2023-27518
- CVE-2023-27521
- CVE-2023-27920
|
|
- JVN : JVNVU#92106300
|
|
- [2023/05/09]
Web page was published
|
