Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-22724

A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)

Published

2022-01-28T20:15:09.670

Last Modified

2024-11-21T05:50:32.143

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Primary
CWE-352

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	schneider-electric	evc1s22p4_firmware	< 3.4.0.2	Yes
Hardware	schneider-electric	evc1s22p4	-	No
Operating System	schneider-electric	evc1s7p4_firmware	< 3.4.0.2	Yes
Hardware	schneider-electric	evc1s7p4	-	No
Operating System	schneider-electric	evw2_firmware	< 3.4.0.2	Yes
Hardware	schneider-electric	evw2	-	No
Operating System	schneider-electric	evf2_firmware	< 3.4.0.2	Yes
Hardware	schneider-electric	evf2	-	No
Operating System	schneider-electric	evp2pe_firmware	< 3.4.0.2	Yes
Hardware	schneider-electric	evp2pe	-	No
Operating System	schneider-electric	evb1a_firmware	< 3.4.0.2	Yes
Hardware	schneider-electric	evb1a	-	No

References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-348-02 Patch, Vendor Advisory ([email protected])
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-348-02 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)