Improper UI Layer Restriction in Schneider Electric EVlink Products
CVE-2021-22819

4.3MEDIUM

Key Information:

Vendor: Schneider Electric
Status: Evlink City Evc1s22p4 Firmware
Vendor: CVE Published:; 28 January 2022

Summary

An improper restriction of rendered UI layers or frames vulnerability exists within Schneider Electric's EVlink products. This flaw can be exploited to manipulate product settings or user accounts by deceiving users into interacting with a web interface that is presented within iframes. This could lead to significant security risks, enabling attackers to make unauthorized changes without the user's knowledge. Users are advised to ensure they update to versions R8 V3.4.0.2 or later to mitigate this risk.

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 28, 2022
Vulnerability Reserved
Jan 6, 2021