CVE-2024-21550
- Source
- https://cve.org/CVERecord?id=CVE-2024-21550
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21550.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-21550
- Published
- 2024-08-12T15:15:19.903Z
- Modified
- 2026-02-12T07:46:02.031484Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
SteVe is an open platform that implements different version of the OCPP protocol for Electric Vehicle charge points, acting as a central server for management of registered charge points. Attackers can inject arbitrary HTML and Javascript code via WebSockets leading to persistent Cross-Site Scripting in the SteVe management interface.
- References
-
- https://github.com/steve-community/steve/blob/steve-3.6.0/src/main/java/de/rwth/idsg/steve/config/WebSocketConfiguration.java#L69
- https://github.com/steve-community/steve/issues/1526
- https://github.com/steve-community/steve/pull/1527
- https://github.com/steve-community/steve/commit/a79983f843c37705182c8f54eba060c1dce3b6d1
- https://github.com/steve-community/steve/issues/1526
- https://github.com/steve-community/steve/pull/1527
Affected packages
Git / github.com/steve-community/steve
Affected ranges
- Type
- GIT
- Repo
- https://github.com/steve-community/steve
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
steve-1.*
steve-1.0.10
steve-1.0.11
steve-1.0.2
steve-1.0.3
steve-1.0.4
steve-1.0.5
steve-1.0.6
steve-1.0.7
steve-1.0.8
steve-1.0.9
steve-1.1.1
steve-1.2.0
steve-1.3.0
steve-2.*
steve-2.0.0
steve-2.0.1
steve-2.0.2
steve-2.0.3
steve-2.0.4
steve-2.0.5
steve-2.0.6
steve-2.1.0
steve-3.*
steve-3.0.0
steve-3.0.1
steve-3.0.2
steve-3.1.0
steve-3.2.0
steve-3.3.0
steve-3.3.1
steve-3.3.2
steve-3.4.0
steve-3.4.1
steve-3.4.2
steve-3.4.3
steve-3.4.4
steve-3.4.5
steve-3.4.6
steve-3.4.7
steve-3.4.8
steve-3.4.9
steve-3.5.0
steve-3.6.0
steve-3.7.0