SB2023020325 - Multiple vulnerabilities in Mitsubishi Electric GOT2000 Series and GT SoftGOT2000

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Authentication Bypass by Spoofing (CVE-ID: CVE-2022-40269)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests. A remote attacker can impersonate legitimate users by abusing inappropriate HTML attributes or cause users' browsers to disclose sensitive information.

2) Improper Restriction of Rendered UI Layers or Frames (CVE-ID: CVE-2022-40268)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper restriction of rendered UI layers or frames. A remote attacker can trick a victim to perform unintended operations through clickjacking.

Remediation

Install update from vendor's website.

References

• https://jvn.jp/vu/JVNVU91222434/index.html
• https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-021_en.pdf