Cross-Site Scripting Vulnerability in EVlink Charging Stations by Schneider Electric
CVE-2021-22706

6.1MEDIUM

Key Information:

Vendor: Schneider Electric
Status: Evlink City (evc1s22p4 / Evc1s7p4 All Versions Prior To R8 V3.4.0.1), Evlink Parking (evw2 / Evf2 / Ev.2 All Versions Prior To R8 V3.4.0.1), And Evlink Smart Wallbox (evb1a All Versions Prior To R8 V3.4.0.1 )
Vendor: CVE Published:; 21 July 2021

🔔 Create Schneider Electric Vulnerability Alert

What is CVE-2021-22706?

A Cross-Site Scripting vulnerability exists within various EVlink products manufactured by Schneider Electric. This flaw allows attackers to exploit improper input validation, enabling them to impersonate users who manage the charging stations. Through crafted malicious parameters sent to the charging station's web server, attackers could perform unauthorized actions on behalf of legitimate users, effectively compromising the security of the management interface and potentially leading to unintended consequences for both users and operators.

Affected Version(s)

EVlink City (EVC1S22P4 / EVC1S7P4 all prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all prior to R8 V3.4.0.1 ) EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 )

References

http://download.schneider-electric.com/files?p_Doc_Ref=SE...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 21, 2021
Vulnerability Reserved
Jan 6, 2021