Skip to main content

Conprosys Hmi System CVE-2023-28399

HIGH
Incorrect Permission Assignment for Critical Resource (CWE-732)
2023-06-01 vultures@jpcert.or.jp
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 01, 2023 - 02:15 nvd
HIGH 7.8

DescriptionNVD

Incorrect permission assignment for critical resource exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. ACL (Access Control List) is not appropriately set to the local folder where the affected product is installed, therefore a wide range of privileges is permitted to a user of the PC where the affected product is installed. As a result, the user may be able to destroy the system and/or execute a malicious program.

AnalysisAI

Incorrect permission assignment for critical resource exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. Incorrect permission assignment for critical resource exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. ACL (Access Control List) is not appropriately set to the local folder where the affected product is installed, therefore a wide range of privileges is permitted to a user of the PC where the affected product is installed. As a result, the user may be able to destroy the system and/or execute a malicious program. Affected products include: Contec Conprosys Hmi System. Version information: prior to 3.5.3..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and restrict file/resource permissions, apply principle of least privilege.

CVE-2022-44456 CRITICAL
9.8 Dec 19

CONPROSYS HMI System (CHS) Ver.3.4.4?and earlier allows a remote unauthenticated attacker to execute an arbitrary OS com

CVE-2023-2758 MEDIUM POC
5.3 May 31

A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. Rated medium severity

CVE-2023-28657 HIGH
8.8 Jun 01

Improper access control vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. Rated high severity

CVE-2023-28713 HIGH
8.1 Jun 01

Plaintext storage of a password exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. Rated high severity (CVSS

CVE-2025-34081 HIGH
7.5 Jul 01

The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may cont

CVE-2023-22339 HIGH
7.5 Jan 20

Improper access control vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticate

CVE-2023-22331 HIGH
7.5 Jan 20

Use of default credentials vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthentic

CVE-2023-29154 HIGH
7.2 Jun 01

SQL injection vulnerability exists in the CONPROSYS HMI System (CHS) versions prior to 3.5.3. Rated high severity (CVSS

CVE-2023-22324 MEDIUM
6.5 Jan 30

SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier allows a remote authenticated attack

CVE-2025-34080 MEDIUM
6.1 Jul 01

The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functi

CVE-2023-22373 MEDIUM
5.4 Jan 20

Cross-site scripting vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated att

CVE-2023-22334 MEDIUM
5.3 Jan 20

Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and ea

Share

CVE-2023-28399 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy