Server-Side Request Forgery Vulnerability in CONPROSYS HMI System by Contec
CVE-2023-28824

4.9MEDIUM

Key Information:

Vendor: Contec Co., Ltd.
Status: CONPROSYS HMI System (CHS)
Vendor: CVE Published:; 1 June 2023

🔔 Create Contec Co., Ltd. Vulnerability Alert

What is CVE-2023-28824?

A server-side request forgery vulnerability has been identified in the CONPROSYS HMI System, specifically in versions prior to 3.5.3. This security flaw allows users with administrative privileges to bypass existing database restrictions on the query settings page. As a result, they can connect to unintended databases, leading to potential unauthorized access to sensitive information.

Affected Version(s)

CONPROSYS HMI System (CHS) versions prior to 3.5.3

References

https://www.contec.com/api/downloadlogger?download=/-/med...

https://www.contec.com/jp/api/downloadlogger?download=/-/...

https://jvn.jp/en/vu/JVNVU93372935/

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2023
Vulnerability Reserved
May 11, 2023