Two remotely exploitable vulnerabilities have been identified in CirCarLife electric vehicle chargers manufactured by Circontrol. The vulnerabilities affect all CirCarLife versions prior to 4.3.1.
One vulnerability, CVE-2018-17918, allows an attacker to bypass authentication to the device by entering the URL of a specific page. The second vulnerability, CVE-2018-17922, is caused by the Password Authentication Protocol (PAP) credentials of the device being stored insecurely – in clear text in a log file that is accessible without authentication. An attacker can take advantage of this flaw to bypass the authentication mechanism and perform unauthorized operations, and to access critical information.
Both vulnerabilities have been assigned the highest possible CVSS v.3 base score of 10.
The vendor has fixed the above issues by releasing a new version of the software.