Server-Side Request Forgery Vulnerability in Schneider Electric EVlink Products
CVE-2021-22821

8.6HIGH

Key Information:

Vendor: Schneider Electric
Status: Evlink City Evc1s22p4 Firmware
Vendor: CVE Published:; 28 January 2022

Summary

A server-side request forgery (SSRF) vulnerability in Schneider Electric's EVlink products can lead to unauthorized network access. This flaw allows attackers to manipulate requests sent from the charging station web server, enabling them to target unintended network locations by exploiting crafted malicious parameters. Affected models include various versions of EVlink City, Parking, and Smart Wallbox products, all prior to software version R8 V3.4.0.2. Organizations using these products should take immediate action to apply the recommended updates to safeguard their network.

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 28, 2022
Vulnerability Reserved
Jan 6, 2021