Multiple vulnerabilities in Schneider Electric EVLink Parking
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2018-7800 CVE-2018-7801 CVE-2018-7802 |
| CWE-ID | CWE-798 CWE-94 CWE-89 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
EVLink Parking Hardware solutions / Firmware |
| Vendor | Schneider Electric |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Use of hardcoded credentials
EUVDB-ID: #VU16682
Risk: Low
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7800
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges.
The weakness exists due to use of hard-coded credentials. A remote attacker can use such credentials to gain elevated privileges on the device.
Install update from vendor's website.
Vulnerable software versionsEVLink Parking: All versions
External linkshttp://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Code injection
EUVDB-ID: #VU16685
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7801
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to use of hard-coded credentials. A remote attacker can inject and execute arbitrary code with maximum privileges.
Install update from vendor's website.
Vulnerable software versionsEVLink Parking: All versions
External linkshttp://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) SQL injection
EUVDB-ID: #VU16686
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7802
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.
Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.
MitigationInstall update from vendor's website.
Vulnerable software versionsEVLink Parking: All versions
External linkshttp://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
