CVE-2023-46359 Scanner
CVE-2023-46359 Scanner - OS Command Injection vulnerability in cPH2 Charging Station
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
13 days 22 hours
Scan only one
URL
Toolbox
-
The cPH2 Charging Station, developed by Hardy Barth, is widely used in the electric vehicle industry to manage and facilitate the scanning and demand of charge stations. Aimed at service providers, businesses, and residential users, it ensures efficient energy distribution. The software's robust interface supports different user capabilities and integrates seamlessly with various IT infrastructure systems, making it a choice for smart charging solutions. Its expansion options and connectivity with automation technologies provide efficient charging operations. By improving user interaction and energy management, it also supports eco-friendly initiatives.
The OS Command Injection vulnerability found in cPH2 Charging Station allows attackers to execute arbitrary commands on the host system. This critical flaw resides in the system's connectivity check feature, which lacks proper sanitization of input parameters, thus allowing arbitrary command execution. An unauthenticated attacker can leverage this to gain control over the system. This vulnerability threatens the integrity and availability of the charge station infrastructure. As attackers can execute system-level commands, it poses a severe risk.
Technically, the vulnerability is concentrated on a particular endpoint designed to verify system connections. An insecure handling of input in the ‘connectioncheck.php’ script allows attackers to append crafted arguments leading to remote command execution. The attack vector is primarily an unauthenticated remote request, exploiting improper input validation within the connectivity function. Using command concatenation techniques, attackers can manipulate responses by executing their commands. The endpoint's weak input filtering contributes to this exploitable vulnerability.
Attackers exploiting this flaw can achieve complete control over affected systems, possibly disrupting operations, exfiltrating sensitive data, or launching further attacks. Systems become vulnerable to data integrity breaches, loss of confidentiality, and service disruptions. Attackers could pivot from this access to other parts of a network, leading to more extensive organizational impacts. Losing control over the critical infrastructure of charging stations could result in both operational downtime and significant financial damages.
REFERENCES