VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 28, 2022· Updated May 20, 2025

Reflected XSS in Carlo Gavazzi UWP 3.0

CVE-2022-28816

Description

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS vulnerability in the Sentilo Proxy of Carlo Gavazzi UWP3.0 and CPY Car Park Server allows arbitrary JavaScript execution.

Vulnerability

The Sentilo Proxy component in Carlo Gavazzi UWP3.0 (multiple versions) and CPY Car Park Server version 2.8.3 is vulnerable to reflected cross-site scripting (XSS). The vulnerability exists due to insufficient input validation of user-supplied data, allowing an attacker to inject arbitrary JavaScript code that reflects off the server. [1]

Exploitation

An attacker can craft a malicious URL that, when accessed by a user (e.g., through phishing), causes the Sentilo service to execute the injected script in the user's browser. No authentication is required, but the attack relies on user interaction such as clicking a link. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the Sentilo service. This could lead to session hijacking, defacement, or redirection to malicious sites, affecting the confidentiality and integrity of the Sentilo service data. [1]

Mitigation

Carlo Gavazzi has released updated firmware and software versions. Users should update to the latest versions as indicated in the vendor advisory VDE-2022-029. [1] If no patch is available for a specific version, restrict access to the Sentilo service interface to trusted networks.

References
  1. Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Carlosgavazzi/UWP3.0llm-fuzzy
  • Carlosgavazzi/CPY Car Park Serverllm-fuzzy2 versions
    = 2.8.3+ 1 more
    • (no CPE)range: = 2.8.3
    • (no CPE)range: 2
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controllerv5
    Range: 8
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – EDP versionv5
    Range: 8
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – Security Enhancedv5
    Range: 8

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.