Skip to main content

Conprosys Hmi System CVE-2023-28651

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-06-01 vultures@jpcert.or.jp
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 01, 2023 - 02:15 nvd
MEDIUM 4.8

DescriptionNVD

Cross-site scripting vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. If a user who can access the affected product with an administrative privilege configures specially crafted settings, an arbitrary script may be executed on the web browser of the other user who is accessing the affected product with an administrative privilege.

AnalysisAI

Cross-site scripting vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Cross-site scripting vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. If a user who can access the affected product with an administrative privilege configures specially crafted settings, an arbitrary script may be executed on the web browser of the other user who is accessing the affected product with an administrative privilege. Affected products include: Contec Conprosys Hmi System. Version information: prior to 3.5.3..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2022-44456 CRITICAL
9.8 Dec 19

CONPROSYS HMI System (CHS) Ver.3.4.4?and earlier allows a remote unauthenticated attacker to execute an arbitrary OS com

CVE-2023-2758 MEDIUM POC
5.3 May 31

A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. Rated medium severity

CVE-2023-28657 HIGH
8.8 Jun 01

Improper access control vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. Rated high severity

CVE-2023-28713 HIGH
8.1 Jun 01

Plaintext storage of a password exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. Rated high severity (CVSS

CVE-2023-28399 HIGH
7.8 Jun 01

Incorrect permission assignment for critical resource exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. Rate

CVE-2025-34081 HIGH
7.5 Jul 01

The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may cont

CVE-2023-22339 HIGH
7.5 Jan 20

Improper access control vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticate

CVE-2023-22331 HIGH
7.5 Jan 20

Use of default credentials vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthentic

CVE-2023-29154 HIGH
7.2 Jun 01

SQL injection vulnerability exists in the CONPROSYS HMI System (CHS) versions prior to 3.5.3. Rated high severity (CVSS

CVE-2023-22324 MEDIUM
6.5 Jan 30

SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier allows a remote authenticated attack

CVE-2025-34080 MEDIUM
6.1 Jul 01

The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functi

CVE-2023-22373 MEDIUM
5.4 Jan 20

Cross-site scripting vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated att

Share

CVE-2023-28651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy