Cyber Resilience

CVE-2023-28651

Medium

Published: 01 June 2023

Published
01 June 2023
Modified
09 January 2025
KEV Added
Patch
CVSS Score v3.1 4.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0359 88.0th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28651 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Contec Conprosys Hmi System. Its CVSS base score is 4.8 (Medium).

Operationally, ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-28651 is a stored cross-site scripting vulnerability (CWE-79) affecting the CONPROSYS HMI System (CHS) web interface in all versions prior to 3.5.3. The flaw resides in the handling of administrator-configured settings that are later rendered without adequate output encoding or sanitization for other privileged users.

An authenticated administrator can supply specially crafted configuration values that cause an arbitrary script to execute in the browser context of a second administrator who subsequently views the affected pages. Successful exploitation yields the ability to perform actions within the web application on behalf of the victim administrator, limited by the CVSS vector requiring high privileges and user interaction.

Vendor advisories from CONTEC direct users to upgrade to CHS 3.5.3 or later; the referenced JVN and CONTEC security bulletins contain the corresponding update instructions and download links. The EPSS score rose materially from a low baseline to a peak of 0.1626 on 2026-03-28 before receding, indicating post-disclosure exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

Cross-site scripting vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. If a user who can access the affected product with an administrative privilege configures specially crafted settings, an arbitrary script may be executed on the web browser…

more

of the other user who is accessing the affected product with an administrative privilege.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

contec
conprosys hmi system
≤ 3.5.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References