Bountyyfi

**Name of the Vulnerable Software and Affected Versions** SteVe versions up to and including 3.11.0 **Description** SteVe is an open-source EV charging station management system susceptible to a transaction hijacking issue. An attacker controlling a registered charger, or even without registration leveraging unauthenticated SOAP endpoints, can terminate any other charger’s active session across the entire network. This occurs because the system identifies transactions by `transactionId` only, without verifying the requesting charger’s ownership. The issue resides in the `OcppServerRepositoryImpl.getTransaction()` function, which lacks a `chargeBoxId` ownership check. An attacker can enumerate sequential `transactionId` values and send StopTransaction messages to terminate active sessions on other chargers. The **API endpoint** used in the attack is the StopTransaction message. The vulnerable parameter is the `transactionId`. **Recommendations** Update SteVe to a version after commit 7f169c6c5b36a9c458ec41ce8af581972e5c724e to address the issue.