CVE-2021-22724: CSRF
First published: Fri Jan 28 2022(Updated: )
A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)
Credit: cybersecurity@se.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Schneider-electric Evc1s22p4 Firmware | <3.4.0.2 | |
| Schneider-electric Evc1s22p4 | ||
| Schneider-electric Evc1s7p4 Firmware | <3.4.0.2 | |
| Schneider-electric Evc1s7p4 | ||
| Schneider-electric Evw2 Firmware | <3.4.0.2 | |
| Schneider-electric Evw2 | ||
| Schneider-electric Evf2 Firmware | <3.4.0.2 | |
| Schneider-electric Evf2 | ||
| Schneider-electric Evp2pe Firmware | <3.4.0.2 | |
| Schneider-electric Evp2pe | ||
| Schneider-electric Evb1a Firmware | <3.4.0.2 | |
| Schneider-electric Evb1a |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2021-22724?
CVE-2021-22724 is considered a medium severity Cross-Site Request Forgery (CSRF) vulnerability.
How do I fix CVE-2021-22724?
To fix CVE-2021-22724, update the affected firmware of your Schneider Electric devices to the latest version that addresses this vulnerability.
Which products are affected by CVE-2021-22724?
CVE-2021-22724 affects several Schneider Electric products including the EVlink City EVC1S22P and others listed in the advisory.
What type of attack is possible with CVE-2021-22724?
CVE-2021-22724 allows an attacker to perform Cross-Site Request Forgery attacks, potentially impersonating users.
Can CVE-2021-22724 be exploited remotely?
Yes, CVE-2021-22724 can be exploited remotely if crafted malicious parameters are submitted via POST requests.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/remedy
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- vendor/schneider-electric
- canonical/schneider-electric evc1s22p4 firmware
- canonical/schneider-electric evc1s22p4
- canonical/schneider-electric evc1s7p4 firmware
- canonical/schneider-electric evc1s7p4
- canonical/schneider-electric evw2 firmware
- canonical/schneider-electric evw2
- canonical/schneider-electric evf2 firmware
- canonical/schneider-electric evf2
- canonical/schneider-electric evp2pe firmware
- canonical/schneider-electric evp2pe
- canonical/schneider-electric evb1a firmware
- canonical/schneider-electric evb1a