CVE-2023-29154
Published: 01 June 2023
Summary
CVE-2023-29154 is a high-severity SQL Injection (CWE-89) vulnerability in Contec Conprosys Hmi System. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-29154 is a SQL injection vulnerability in the CONPROSYS HMI System (CHS) versions prior to 3.5.3. The flaw resides in the query setting page, where insufficient input validation allows crafted data to be interpreted as SQL commands.
An attacker with administrative access to the affected product can supply malicious input to the query setting page and execute arbitrary SQL statements. Successful exploitation grants full control over the database, enabling impacts rated high for confidentiality, integrity, and availability under the CVSS vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Vendor advisories published by CONTEC and coordinated through JVN recommend upgrading to CHS version 3.5.3 or later to address the issue; the referenced security bulletins detail the affected builds and the corrective release.
EPSS for the CVE rose from a low baseline to a peak of 0.1302 before receding to the current value of 0.0356, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32756
Vulnerability details
SQL injection vulnerability exists in the CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may execute an arbitrary SQL command via specially crafted input to the query setting…
more
page.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.