PT-2021-7786 · Schneider Electric · Evlink City Evc1S7P4+4
Published
2021-12-14
·
Updated
2023-03-01
·
CVE-2021-22822
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:N/C:C/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
EVlink City EVC1S22P4 / EVC1S7P4 versions prior to R8 V3.4.0.2
EVlink Parking EVW2 / EVF2 / EVP2PE versions prior to R8 V3.4.0.2
EVlink Smart Wallbox EVB1A versions prior to R8 V3.4.0.2
Description
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue exists, allowing an attacker to impersonate the user who manages the charging station or carry out actions on their behalf when crafted malicious parameters are submitted to the charging station web server.
Recommendations
For EVlink City EVC1S22P4 / EVC1S7P4 versions prior to R8 V3.4.0.2, update to R8 V3.4.0.2 or later.
For EVlink Parking EVW2 / EVF2 / EVP2PE versions prior to R8 V3.4.0.2, update to R8 V3.4.0.2 or later.
For EVlink Smart Wallbox EVB1A versions prior to R8 V3.4.0.2, update to R8 V3.4.0.2 or later.
As a temporary workaround, consider restricting access to the web server to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Evlink City Evc1S22P4
Evlink City Evc1S7P4
Evlink Parking Evf2
Evlink Parking Evp2Pe
Evlink Smart Wallbox Evb1A