SEVD-2022-165-03
Schneider Electric is aware of multiple vulnerabilities in its Conext™ ComBox product which was discontinued in January 2020 and is no longer in support. The Conext™ ComBox is a communication and monitoring device for installers and operators of Conext solar systems. It features an integrated web server, enabling graphical displays of system daily, monthly and lifetime energy data to be viewed using a simple web browser or Android tablet device. Failure to apply the mitigations provided below may risk Clickjacking, Rate Limiting & Cross-Site Request Forgery attacks. An attacker who successfully exploits one or more of these vulnerabilities could trick the product user/admin into performing unintended actions that may lead to taking over their account or manipulating the station settings.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Schneider Electric Conext™ ComBox All Versions |
Timeline
- Jun 14, 2022 CVE Published
References
- https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2022-165-03.json advisory
- https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-03_ConextCombox_Security_Notification.pdf advisory
- https://www.se.com/us/en/download/document/7EN52-0390/ advisory
- https://solar.se.com/us/en/product/insighthome-and-insightfacility-edge-devices/#videos fix