CVSS: 8.8EPSS: 0%CPEs: 20EXPL: 0CVE-2021-34602 – Bender Charge Controller: Long URL could lead to webserver crash
https://notcve.org/view.php?id=CVE-2021-34602
27 Apr 2022 — In Bender/ebee Charge Controllers in multiple versions are prone to Command injection via Web interface. An authenticated attacker could enter shell commands into some input fields that are executed with root privileges. En los controladores de carga Bender/ebee en múltiples versiones son propensos a la inyección de comandos por medio de la interfaz web. Un atacante autenticado podría introducir comandos de shell en algunos campos de entrada que son ejecutados con privilegios root • https://cert.vde.com/en/advisories/VDE-2021-047 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 20EXPL: 0CVE-2021-34601 – Bender Charge Controller: Hardcoded Credentials in Charge Controller
https://notcve.org/view.php?id=CVE-2021-34601
27 Apr 2022 — In Bender/ebee Charge Controllers in multiple versions are prone to Hardcoded Credentials. Bender charge controller CC612 in version 5.20.1 and below is prone to hardcoded ssh credentials. An attacker may use the password to gain administrative access to the web-UI. En los controladores de carga Bender/ebee en múltiples versiones son propensos a Credenciales Embebidas. El controlador de carga CC612 de Bender en la versión 5.20.1 e inferior es propenso a credenciales ssh embebidas. • https://cert.vde.com/en/advisories/VDE-2021-047 • CWE-259: Use of Hard-coded Password CWE-798: Use of Hard-coded Credentials •
CVSS: 8.8EPSS: 0%CPEs: 20EXPL: 0CVE-2021-34592 – Bender Charge Controller: Command injection via Web interface
https://notcve.org/view.php?id=CVE-2021-34592
27 Apr 2022 — In Bender/ebee Charge Controllers in multiple versions are prone to Command injection via Web interface. An authenticated attacker could enter shell commands into some input fields. En los controladores de carga Bender/ebee en múltiples versiones son propensos a la inyección de comandos por medio de la interfaz Web. Un atacante autenticado podría introducir comandos de shell en algunos campos de entrada • https://cert.vde.com/en/advisories/VDE-2021-047 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 20EXPL: 0CVE-2021-34591 – Bender Charge Controller: Local privilege Escalation
https://notcve.org/view.php?id=CVE-2021-34591
27 Apr 2022 — In Bender/ebee Charge Controllers in multiple versions are prone to Local privilege Escalation. An authenticated attacker could get root access via the suid applications socat, ip udhcpc and ifplugd. En los controladores de carga Bender/ebee en múltiples versiones son propensos a una escalada de privilegios local. Un atacante autenticado podría obtener acceso de root por medio de las aplicaciones suid socat, ip udhcpc e ifplugd • https://cert.vde.com/en/advisories/VDE-2021-047 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 5.4EPSS: 0%CPEs: 20EXPL: 0CVE-2021-34590 – Bender Charge Controller: Cross-site Scripting
https://notcve.org/view.php?id=CVE-2021-34590
27 Apr 2022 — In Bender/ebee Charge Controllers in multiple versions are prone to Cross-site Scripting. An authenticated attacker could write HTML Code into configuration values. These values are not properly escaped when displayed. En los controladores de carga Bender/ebee en múltiples versiones son propensos a un ataque de tipo Cross-site Scripting. Un atacante autenticado podría escribir código HTML en los valores de configuración. • https://cert.vde.com/en/advisories/VDE-2021-047 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 20EXPL: 0CVE-2021-34589 – Bender Charge Controller: RFID leak
https://notcve.org/view.php?id=CVE-2021-34589
27 Apr 2022 — In Bender/ebee Charge Controllers in multiple versions are prone to an RFID leak. The RFID of the last charge event can be read without authentication via the web interface. En los controladores de carga Bender/ebee en múltiples versiones son propensos a un filtrado de RFID. El RFID del último evento de carga puede ser leído sin autenticación por medio de la interfaz web • https://cert.vde.com/en/advisories/VDE-2021-047 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.6EPSS: 0%CPEs: 20EXPL: 0CVE-2021-34588 – Bender Charge Controller: Unprotected data export
https://notcve.org/view.php?id=CVE-2021-34588
27 Apr 2022 — In Bender/ebee Charge Controllers in multiple versions are prone to unprotected data export. Backup export is protected via a random key. The key is set at user login. It is empty after reboot . En los Controladores de Carga Bender/ebee en múltiples versiones son propensos a una exportación de datos sin protección. • https://cert.vde.com/en/advisories/VDE-2021-047 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 5.3EPSS: 0%CPEs: 21EXPL: 0CVE-2021-34587 – Bender Charge Controller: Long URL could lead to webserver crash
https://notcve.org/view.php?id=CVE-2021-34587
27 Apr 2022 — In Bender/ebee Charge Controllers in multiple versions a long URL could lead to webserver crash. The URL is used as input of an sprintf to a stack variable. En los Controladores de Carga Bender/ebee en múltiples versiones, una URL larga podría conllevar a un bloqueo del servidor web. La URL es usada como entrada de un sprintf a una variable de pila • https://cert.vde.com/en/advisories/VDE-2021-047 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •