CVE-2023-22373
https://notcve.org/view.php?id=CVE-2023-22373
Cross-site scripting vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to inject an arbitrary script and obtain the sensitive information. Vulnerabilidad de cross-site scripting en CONPROSYS HMI System (CHS) Ver.3.4.5 y anteriores permite a un atacante remoto autenticado inyectar un script arbitrario y obtener información confidencial. • https://jvn.jp/en/vu/JVNVU96873821 https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-22334
https://notcve.org/view.php?id=CVE-2023-22334
Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to obtain user credentials information via a man-in-the-middle attack. El uso de hash de contraseña en lugar de contraseña para la vulnerabilidad de autenticación en CONPROSYS HMI System (CHS) Ver.3.4.5 y anteriores permite a un atacante autenticado remoto obtener información de credenciales de usuario a través de un ataque de intermediario. • https://jvn.jp/en/vu/JVNVU96873821 https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b • CWE-287: Improper Authentication •
CVE-2023-22331
https://notcve.org/view.php?id=CVE-2023-22331
Use of default credentials vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to alter user credentials information. El uso de la vulnerabilidad de credenciales predeterminadas en CONPROSYS HMI System (CHS) Ver.3.4.5 y versiones anteriores permite que un atacante remoto no autenticado altere la información de las credenciales del usuario. • https://jvn.jp/en/vu/JVNVU96873821 https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b • CWE-269: Improper Privilege Management •
CVE-2023-22339
https://notcve.org/view.php?id=CVE-2023-22339
Improper access control vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to bypass access restriction and obtain the server certificate including the private key of the product. Una vulnerabilidad de control de acceso inadecuado en CONPROSYS HMI System (CHS) Ver.3.4.5 y anteriores permite que un atacante remoto no autenticado evite la restricción de acceso y obtenga el certificado del servidor, incluida la clave privada del producto. • https://jvn.jp/en/vu/JVNVU96873821 https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03 https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b •
CVE-2022-44456
https://notcve.org/view.php?id=CVE-2022-44456
CONPROSYS HMI System (CHS) Ver.3.4.4?and earlier allows a remote unauthenticated attacker to execute an arbitrary OS command on the server where the product is running by sending a specially crafted request. CONPROSYS HMI System (CHS) Ver.3.4.4 y versiones anteriores permiten que un atacante remoto no autenticado ejecute un comando arbitrario del sistema operativo en el servidor donde se ejecuta el producto mediante el envío de una solicitud especialmente manipulada. • https://jvn.jp/en/vu/JVNVU96873821/index.html https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_221014_en.pdf https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •