CVE-2022-22807

EPSS 0.9%CWE-1021

In short

The EcoStruxure EV Charging Expert system can be tricked into allowing attackers to modify settings or user accounts by embedding its web interface in hidden frames. An attacker could deceive users into unknowingly making changes to the system.

Technical detail

A clickjacking vulnerability (CWE-1021) allows attackers to overlay or embed the vulnerable web interface within iframes without proper UI layer restrictions. By deceiving users to interact with these framed pages, attackers can perform unauthorized modifications to product settings and user account data. The vulnerability affects multiple hardware versions prior to SP8 (Version 01) V4.0.0.13.

Summary generated and translated by AI from the official description.

A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause unintended modifications of the product settings or user accounts when deceiving the user to use the web interface rendered within iframes. Affected Product: EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13)

Affected products

n/a · EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-02