CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29154
https://notcve.org/view.php?id=CVE-2023-29154
SQL injection vulnerability exists in the CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may execute an arbitrary SQL command via specially crafted input to the query setting page. • https://jvn.jp/en/vu/JVNVU93372935 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2758 – Contec CONPROSYS HMI System (CHS) v3.5.2 Denial of Service
https://notcve.org/view.php?id=CVE-2023-2758
A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time. • https://jvn.jp/en/vu/JVNVU93372935/index.html https://www.tenable.com/security/research/tra-2023-21 • CWE-799: Improper Control of Interaction Frequency •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22324
https://notcve.org/view.php?id=CVE-2023-22324
SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier allows a remote authenticated attacker to execute an arbitrary SQL command. As a result, information stored in the database may be obtained. Vulnerabilidad de inyección SQL en CONPROSYS HMI System (CHS) Ver.3.5.0 y anteriores permite que un atacante remoto autenticado ejecute un comando SQL arbitrario. Como resultado, se puede obtener información almacenada en la base de datos. • https://jvn.jp/en/vu/JVNVU97195023 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230124_en.pdf https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22373
https://notcve.org/view.php?id=CVE-2023-22373
Cross-site scripting vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to inject an arbitrary script and obtain the sensitive information. Vulnerabilidad de cross-site scripting en CONPROSYS HMI System (CHS) Ver.3.4.5 y anteriores permite a un atacante remoto autenticado inyectar un script arbitrario y obtener información confidencial. • https://jvn.jp/en/vu/JVNVU96873821 https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22334
https://notcve.org/view.php?id=CVE-2023-22334
Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to obtain user credentials information via a man-in-the-middle attack. El uso de hash de contraseña en lugar de contraseña para la vulnerabilidad de autenticación en CONPROSYS HMI System (CHS) Ver.3.4.5 y anteriores permite a un atacante autenticado remoto obtener información de credenciales de usuario a través de un ataque de intermediario. • https://jvn.jp/en/vu/JVNVU96873821 https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b • CWE-287: Improper Authentication •