Cross-Site Request Forgery in EVlink Charging Stations by Schneider Electric
CVE-2021-22724

8.8HIGH

Key Information:

Vendor: Schneider Electric
Status: Evc1s22p4 Firmware
Vendor: CVE Published:; 28 January 2022

Summary

A Cross-Site Request Forgery vulnerability in Schneider Electric's EVlink products allows attackers to impersonate users and execute unauthorized actions. This occurs when attackers submit crafted malicious parameters in POST requests to the charging station's web server. The issue affects various models, including the EVlink City and Parking series, as well as the Smart Wallbox, specifically in all versions prior to R8 V3.4.0.2, posing significant security risks.

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 28, 2022
Vulnerability Reserved
Jan 6, 2021