CVE-2024-1707 in WALLBOX GLB+ T2EV7info

Summary

by MITRE • 02/21/2024

A vulnerability, which was classified as problematic, was found in GARO WALLBOX GLB+ T2EV7 0.5. This affects an unknown part of the file /index.jsp#settings of the component Software Update Handler. The manipulation of the argument Reference leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254397 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/12/2025

The vulnerability identified as CVE-2024-1707 represents a critical cross site scripting flaw within the GARO WALLBOX GLB+ T2EV7 0.5 software update handler component. This security weakness exists in the web interface at the path /index.jsp#settings where the software processes user-supplied input through the Reference argument. The vulnerability classification as problematic indicates a significant risk to system security and user data integrity. The affected device is a wallbox charging station that likely serves as part of an electric vehicle charging infrastructure, making it a potential target for attackers seeking to compromise charging network operations.

The technical implementation of this XSS vulnerability occurs when the application fails to properly sanitize or validate the Reference parameter before incorporating it into the web page response. This allows an attacker to inject malicious script code that executes in the context of a victim's browser session. The flaw specifically impacts the Software Update Handler component, suggesting that attackers could potentially manipulate the update process or gain unauthorized access to system configuration data. The vulnerability's remote exploitability means that attackers do not require physical access to the device to carry out the attack, significantly expanding the potential attack surface.

The operational impact of this vulnerability extends beyond simple script execution, as it could enable attackers to perform session hijacking, steal user credentials, or manipulate the charging station's operational parameters. In the context of electric vehicle charging infrastructure, this could lead to unauthorized charging sessions, financial loss, or disruption of charging services. The vulnerability affects the broader charging network ecosystem where such wallboxes operate, potentially allowing attackers to compromise multiple devices within a single deployment. The lack of vendor response despite early disclosure indicates a potential gap in the security update process for industrial IoT devices.

Mitigation strategies should focus on immediate input validation and output encoding to prevent script injection attacks. Organizations should implement proper parameter validation for all user-supplied inputs, particularly those used in dynamic web content generation. The implementation of Content Security Policy headers and proper sanitization of HTML output can significantly reduce the impact of XSS attacks. Network segmentation and access controls should be enforced to limit unauthorized access to the device management interfaces. According to CWE guidelines, this vulnerability maps to CWE-79 which specifically addresses cross site scripting flaws in web applications. The ATT&CK framework would classify this under T1566 for credential access and T1071 for application layer protocols, with potential lateral movement capabilities through session hijacking. Regular security assessments of industrial IoT devices are essential to identify similar vulnerabilities in embedded systems that may not receive timely vendor patches.

Responsible

VulDB

Reservation

02/21/2024

Disclosure

02/21/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00658

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!