Japan Vulnerability NotesJVN:58266015JVN#58266015: Multiple vulnerabilities in multiple MEIKYO ELECTRIC products
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
38.6%
Multiple MEIKYO ELECTRIC products provided by MEIKYO ELECTRIC CO.,LTD. contain multiple vulnerabilities listed below.
Cross-site request forgery (CWE-352) - CVE-2022-27632
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L | Base Score: 5.4 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:P | Base Score: 4.0 |
Cross-site scripting (CWE-79) - CVE-2022-28717
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N | Base Score: 3.5 |
| CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Impact
- If a user views a malicious page while logged in to the product’s web interface, unintended operations may be performed - CVE-2022-27632
- An arbitrary script may be executed on the web browser of the user who is accessing the product’s web interface - CVE-2022-28717
Solution
CVE-2022-27632
Apply the Workaround
Apply the following workaround to avoid the impacts of this vulnerability.
- Do not browse pages other than the product’s web interface on the same web browser while logging in to the web interface
CVE-2022-28717
Update the firmware
Apply the appropriate firmware update according to the information provided by the developer.
For more information, refer to the information provided by the developer.
Stop using the products and Switch to alternative products
The developer states that the following products are no longer supported, and recommends to use alternative unaffected products.
- Rebooter
- WATCH BOOT nino RPC-M2C
- WATCH BOOT light RPC-M5C
- WATCH BOOT L-zero RPC-M4L
- WATCH BOOT mini RPC-M4H
- Scheduler
- TIME BOOT mini RSC-MT4H
- TIME BOOT RSC-MT8F
- TIME BOOT RSC-MT8FP
Products Affected
- Rebooter
- WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions
- WATCH BOOT light RPC-M5C [End of Sale] all firmware versions
- WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions
- WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions
- WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D
- WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D
- WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A
- Signage Rebooter RPC-M4HSi firmware version 1.00A
- PoE Rebooter
- PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A
- Scheduler
- TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions
- TIME BOOT RSC-MT8F [End of Sale] all firmware versions
- TIME BOOT RSC-MT8FP [End of Sale] all firmware versions
- TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A
- TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E
- Contact Converter
- POSE SE10-8A7B1 firmware version 1.00A to 1.20A
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
38.6%