CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28657
https://notcve.org/view.php?id=CVE-2023-28657
Improper access control vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user of the PC where the affected product is installed may gain an administrative privilege. As a result, information regarding the product may be obtained and/or altered by the user. • https://jvn.jp/en/vu/JVNVU93372935 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2758 – Contec CONPROSYS HMI System (CHS) v3.5.2 Denial of Service
https://notcve.org/view.php?id=CVE-2023-2758
A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time. • https://jvn.jp/en/vu/JVNVU93372935/index.html https://www.tenable.com/security/research/tra-2023-21 • CWE-799: Improper Control of Interaction Frequency •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22324
https://notcve.org/view.php?id=CVE-2023-22324
SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier allows a remote authenticated attacker to execute an arbitrary SQL command. As a result, information stored in the database may be obtained. Vulnerabilidad de inyección SQL en CONPROSYS HMI System (CHS) Ver.3.5.0 y anteriores permite que un atacante remoto autenticado ejecute un comando SQL arbitrario. Como resultado, se puede obtener información almacenada en la base de datos. • https://jvn.jp/en/vu/JVNVU97195023 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230124_en.pdf https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22373
https://notcve.org/view.php?id=CVE-2023-22373
Cross-site scripting vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to inject an arbitrary script and obtain the sensitive information. Vulnerabilidad de cross-site scripting en CONPROSYS HMI System (CHS) Ver.3.4.5 y anteriores permite a un atacante remoto autenticado inyectar un script arbitrario y obtener información confidencial. • https://jvn.jp/en/vu/JVNVU96873821 https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22331
https://notcve.org/view.php?id=CVE-2023-22331
Use of default credentials vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to alter user credentials information. El uso de la vulnerabilidad de credenciales predeterminadas en CONPROSYS HMI System (CHS) Ver.3.4.5 y versiones anteriores permite que un atacante remoto no autenticado altere la información de las credenciales del usuario. • https://jvn.jp/en/vu/JVNVU96873821 https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b • CWE-269: Improper Privilege Management •