|
[Japanese]
|
JVNDB-2025-007754
|
Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)
|
|
CONPROSYS HMI System (CHS) provided by Contec Co.,Ltd. contains multiple vulnerabilities listed below.
* Reflected cross-site scripting (CWE-79) - CVE-2025-34080
* Insertion of sensitive information into debugging code (CWE-215) - CVE-2025-34081
Alex Williams of Converge Technology Solutions reported these vulnerabilities to Vulncheck Inc., and
Vulncheck Inc. reported these vulnerabilities to the developer.
Based on the coordination request made by the developer, JPCERT/CC coordinated with Vulncheck Inc. and the developer.
|
|
CVSS V3 Severity:
Base Metrics 6.1 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-34080
|
CVSS V3 Severity:
Base Metrics5.3 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-34081
|
|
|
Contec
- CONPROSYS HMI System (CHS) versions prior to 3.7.7
|
|
|
* An arbitrary script may be executed on the web browser of the user who is accessing the product (CVE-2025-34080)
* A remote unauthenticated attacker may obtain the PHP runtime information of the product (CVE-2025-34081)
|
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released CONPROSYS HMI System (CHS) 3.7.7 that contains the fixes for these vulnerabilities.
|
|
Contec
|
|
- Insertion of Sensitive Information Into Debugging Code(CWE-215) [Other]
- Cross-site Scripting(CWE-79) [Other]
|
|
- CVE-2025-34080
- CVE-2025-34081
|
|
- JVN : JVNVU#92266386
|
|
- [2025/07/02]
Web page was published
|
