[Japanese]

JVNDB-2025-007754

Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)

Overview

CONPROSYS HMI System (CHS) provided by Contec Co.,Ltd. contains multiple vulnerabilities listed below.

* Reflected cross-site scripting (CWE-79) - CVE-2025-34080
* Insertion of sensitive information into debugging code (CWE-215) - CVE-2025-34081

Alex Williams of Converge Technology Solutions reported these vulnerabilities to Vulncheck Inc., and
Vulncheck Inc. reported these vulnerabilities to the developer.
Based on the coordination request made by the developer, JPCERT/CC coordinated with Vulncheck Inc. and the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-34080


CVSS V3 Severity:
Base Metrics5.3 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-34081
Affected Products


Contec
  • CONPROSYS HMI System (CHS) versions prior to 3.7.7

Impact

* An arbitrary script may be executed on the web browser of the user who is accessing the product (CVE-2025-34080)
* A remote unauthenticated attacker may obtain the PHP runtime information of the product (CVE-2025-34081)
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released CONPROSYS HMI System (CHS) 3.7.7 that contains the fixes for these vulnerabilities.
Vendor Information

Contec
CWE (What is CWE?)

  1. Insertion of Sensitive Information Into Debugging Code(CWE-215) [Other]
  2. Cross-site Scripting(CWE-79) [Other]
CVE (What is CVE?)

  1. CVE-2025-34080
  2. CVE-2025-34081
References

  1. JVN : JVNVU#92266386
Revision History

  • [2025/07/02]
      Web page was published