CVE-2018-7802

Vulnerability

A SQL injection vulnerability exists in Schneider Electric EVLink Parking versions 3.2.0-12_v1 and prior. The flaw resides in the web interface component, where improper neutralization of special elements used in SQL commands allows an attacker to inject arbitrary SQL queries. This vulnerability is assigned CVE-2018-7802 and has a CVSS v3 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) [1].

Exploitation

An attacker must have low-privileged access to the device (e.g., a valid user account) to exploit this vulnerability. No user interaction is required. The attacker can send crafted SQL injection payloads to the vulnerable web interface, bypassing authentication or escalating privileges to gain full administrative access. The attack is remotely exploitable over the network [1].

Impact

Successful exploitation allows the attacker to access the web interface with full privileges, leading to low confidentiality and low integrity impacts. The scope of the compromise changes, meaning the attacker can affect resources beyond the vulnerable component. This could enable further attacks such as stopping the charging station or executing arbitrary commands, though those are covered by other CVEs [1].

Mitigation

Schneider Electric recommends users update to a fixed version. As of the advisory date (January 31, 2019), the vendor has not released a specific patch version; users should contact Schneider Electric support for mitigation guidance. No workaround is provided in the advisory. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].