Vulnerabilities > CVE-2023-28824 - Server-Side Request Forgery (SSRF) vulnerability in Contec Conprosys HMI System

CVSS 4.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

contec

CWE-918

NVD

Published: 2023-06-01

Updated: 2023-06-08

Summary

Server-side request forgery vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may bypass the database restriction set on the query setting page, and connect to a user unintended database.

Vulnerable Configurations

Part	Description	Count
Application	Contec Contec Conprosys HMI System 3.3.0 Contec Conprosys HMI System 3.4.3 Contec Conprosys HMI System 3.4.4 Contec Conprosys HMI System 3.4.5	4

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_jp.pdf
https://jvn.jp/en/vu/JVNVU93372935/
https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230531_en.pdf