CVE-2023-27917
https://notcve.org/view.php?id=CVE-2023-27917
OS command injection vulnerability in CONPROSYS IoT Gateway products allows a remote authenticated attacker who can access Network Maintenance page to execute arbitrary OS commands with a root privilege. The affected products and versions are as follows: M2M Gateway with the firmware Ver.3.7.10 and earlier (CPS-MG341-ADSC1-111, CPS-MG341-ADSC1-931, CPS-MG341G-ADSC1-111, CPS-MG341G-ADSC1-930, and CPS-MG341G5-ADSC1-931), M2M Controller Integrated Type with firmware Ver.3.7.6 and earlier versions (CPS-MC341-ADSC1-111, CPS-MC341-ADSC1-931, CPS-MC341-ADSC2-111, CPS-MC341G-ADSC1-110, CPS-MC341Q-ADSC1-111, CPS-MC341-DS1-111, CPS-MC341-DS11-111, CPS-MC341-DS2-911, and CPS-MC341-A1-111), and M2M Controller Configurable Type with firmware Ver.3.8.8 and earlier versions (CPS-MCS341-DS1-111, CPS-MCS341-DS1-131, CPS-MCS341G-DS1-130, CPS-MCS341G5-DS1-130, and CPS-MCS341Q-DS1-131). • https://jvn.jp/en/vu/JVNVU96198617 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_cps_230317_en.pdf https://www.contec.com/download/donwload-list/?itemid=a054b3eb-da97-40d0-9598-d7f5ff4239ec#firmware https://www.contec.com/download/donwload-list/?itemid=a1b33f0d-d32b-4549-9741-613cd37d5528#firmware https://www.contec.com/download/donwload-list/?itemid=f832c526-dcf6-4976-85aa-f536c15a8120#firmware • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2023-23575
https://notcve.org/view.php?id=CVE-2023-23575
Improper access control vulnerability in CONPROSYS IoT Gateway products allows a remote authenticated attacker to bypass access restriction and access Network Maintenance page, which may result in obtaining the network information of the product. The affected products and versions are as follows: M2M Gateway with the firmware Ver.3.7.10 and earlier (CPS-MG341-ADSC1-111, CPS-MG341-ADSC1-931, CPS-MG341G-ADSC1-111, CPS-MG341G-ADSC1-930, and CPS-MG341G5-ADSC1-931), M2M Controller Integrated Type with firmware Ver.3.7.6 and earlier versions (CPS-MC341-ADSC1-111, CPS-MC341-ADSC1-931, CPS-MC341-ADSC2-111, CPS-MC341G-ADSC1-110, CPS-MC341Q-ADSC1-111, CPS-MC341-DS1-111, CPS-MC341-DS11-111, CPS-MC341-DS2-911, and CPS-MC341-A1-111), and M2M Controller Configurable Type with firmware Ver.3.8.8 and earlier versions (CPS-MCS341-DS1-111, CPS-MCS341-DS1-131, CPS-MCS341G-DS1-130, CPS-MCS341G5-DS1-130, and CPS-MCS341Q-DS1-131). • https://jvn.jp/en/vu/JVNVU96198617 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_cps_230317_en.pdf https://www.contec.com/download/donwload-list/?itemid=a054b3eb-da97-40d0-9598-d7f5ff4239ec#firmware https://www.contec.com/download/donwload-list/?itemid=a1b33f0d-d32b-4549-9741-613cd37d5528#firmware https://www.contec.com/download/donwload-list/?itemid=f832c526-dcf6-4976-85aa-f536c15a8120#firmware •
CVE-2023-27389
https://notcve.org/view.php?id=CVE-2023-27389
Inadequate encryption strength vulnerability in CONPROSYS IoT Gateway products allows a remote authenticated attacker with an administrative privilege to apply a specially crafted Firmware update file, alter the information, cause a denial-of-service (DoS) condition, and/or execute arbitrary code. The affected products and versions are as follows: M2M Gateway with the firmware Ver.3.7.10 and earlier (CPS-MG341-ADSC1-111, CPS-MG341-ADSC1-931, CPS-MG341G-ADSC1-111, CPS-MG341G-ADSC1-930, and CPS-MG341G5-ADSC1-931), M2M Controller Integrated Type with firmware Ver.3.7.6 and earlier versions (CPS-MC341-ADSC1-111, CPS-MC341-ADSC1-931, CPS-MC341-ADSC2-111, CPS-MC341G-ADSC1-110, CPS-MC341Q-ADSC1-111, CPS-MC341-DS1-111, CPS-MC341-DS11-111, CPS-MC341-DS2-911, and CPS-MC341-A1-111), and M2M Controller Configurable Type with firmware Ver.3.8.8 and earlier versions (CPS-MCS341-DS1-111, CPS-MCS341-DS1-131, CPS-MCS341G-DS1-130, CPS-MCS341G5-DS1-130, and CPS-MCS341Q-DS1-131). • https://jvn.jp/en/vu/JVNVU96198617 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_cps_230317_en.pdf https://www.contec.com/download/donwload-list/?itemid=a054b3eb-da97-40d0-9598-d7f5ff4239ec#firmware https://www.contec.com/download/donwload-list/?itemid=a1b33f0d-d32b-4549-9741-613cd37d5528#firmware https://www.contec.com/download/donwload-list/?itemid=f832c526-dcf6-4976-85aa-f536c15a8120#firmware • CWE-326: Inadequate Encryption Strength •
CVE-2023-23333 – SolarView Compact 6.00 - Command Injection
https://notcve.org/view.php?id=CVE-2023-23333
There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through downloader.php. SolarView Compact version 6.00 suffers from a remote command injection vulnerability. • https://www.exploit-db.com/exploits/51886 https://github.com/emanueldosreis/nmap-CVE-2023-23333-exploit https://github.com/binaryusergearone/SolarView-Compact-6.00-Command-Injection-Exploit-CVE-2023-23333- https://github.com/Mr-xn/CVE-2023-23333 https://github.com/Timorlover/CVE-2023-23333 http://packetstormsecurity.com/files/174537/SolarView-Compact-6.00-Remote-Command-Execution.html https://attackerkb.com/topics/kE3lzTZGV2/cve-2023-23333 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2023-22324
https://notcve.org/view.php?id=CVE-2023-22324
SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier allows a remote authenticated attacker to execute an arbitrary SQL command. As a result, information stored in the database may be obtained. Vulnerabilidad de inyección SQL en CONPROSYS HMI System (CHS) Ver.3.5.0 y anteriores permite que un atacante remoto autenticado ejecute un comando SQL arbitrario. Como resultado, se puede obtener información almacenada en la base de datos. • https://jvn.jp/en/vu/JVNVU97195023 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230124_en.pdf https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •