CVE-2023-28651
Published: 01 June 2023
Summary
CVE-2023-28651 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Contec Conprosys Hmi System. Its CVSS base score is 4.8 (Medium).
Operationally, ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-28651 is a stored cross-site scripting vulnerability (CWE-79) affecting the CONPROSYS HMI System (CHS) web interface in all versions prior to 3.5.3. The flaw resides in the handling of administrator-configured settings that are later rendered without adequate output encoding or sanitization for other privileged users.
An authenticated administrator can supply specially crafted configuration values that cause an arbitrary script to execute in the browser context of a second administrator who subsequently views the affected pages. Successful exploitation yields the ability to perform actions within the web application on behalf of the victim administrator, limited by the CVSS vector requiring high privileges and user interaction.
Vendor advisories from CONTEC direct users to upgrade to CHS 3.5.3 or later; the referenced JVN and CONTEC security bulletins contain the corresponding update instructions and download links. The EPSS score rose materially from a low baseline to a peak of 0.1626 on 2026-03-28 before receding, indicating post-disclosure exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32312
Vulnerability details
Cross-site scripting vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. If a user who can access the affected product with an administrative privilege configures specially crafted settings, an arbitrary script may be executed on the web browser…
more
of the other user who is accessing the affected product with an administrative privilege.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.