PT-2022-9290 · Schneider Electric · Evlink Parking Evf2+4
Published
2022-01-28
·
Updated
2022-02-03
·
CVE-2021-22820
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
EVlink City EVC1S22P4 / EVC1S7P4 versions prior to R8 V3.4.0.2
EVlink Parking EVW2 / EVF2 / EVP2PE versions prior to R8 V3.4.0.2
EVlink Smart Wallbox EVB1A versions prior to R8 V3.4.0.2
Description
A CWE-614 Insufficient Session Expiration issue exists, allowing an attacker to maintain unauthorized access to the charger station web server over a hijacked session, even after the legitimate user has changed their password.
Recommendations
For EVlink City EVC1S22P4 / EVC1S7P4 versions prior to R8 V3.4.0.2, update to R8 V3.4.0.2 or later to resolve the issue.
For EVlink Parking EVW2 / EVF2 / EVP2PE versions prior to R8 V3.4.0.2, update to R8 V3.4.0.2 or later to resolve the issue.
For EVlink Smart Wallbox EVB1A versions prior to R8 V3.4.0.2, update to R8 V3.4.0.2 or later to resolve the issue.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Evlink City Evc1S22P4
Evlink City Evc1S7P4
Evlink Parking Evf2
Evlink Parking Evp2Pe
Evlink Smart Wallbox Evb1A