CVE-2023-29114

EUVD-2023-32717

05.11.2024, 15:15

System logs could be accessed through web management application due to a lack of access control.


An attacker can obtain the following sensitive information:

•     Wi-Fi access point credentials to which the EV charger can connect.

•     APN web address and credentials.

•     IPSEC credentials.

•     Web interface access credentials for user and admin accounts.

•     JuiceBox system components (software installed, model, firmware version, etc.).

•     C2G configuration details.

•     Internal IP addresses.

•     OTA firmware update configurations (DNS servers).

All the credentials are stored in logs in an unencrypted plaintext format.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.7 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ASRG	CNA	5.7 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 24%

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf