Chargemap WebSocket Session Hijacking Vulnerability
Vulnerability
A vulnerability in the WebSocket backend of Chargemap's charging station management system allows for session hijacking or shadowing. The issue arises because the system uses charging station identifiers to associate sessions but permits multiple endpoints to connect using the same identifier. This flaw leads to predictable session identifiers, enabling unauthorized users to authenticate as other users or causing a denial-of-service condition by overwhelming the backend with valid session requests.
Impact
Exploitation of this vulnerability could allow unauthorized users to hijack sessions, authenticating as other users, or disrupt charging services by flooding the backend with session requests, causing a denial-of-service condition.
Remediation
Chargemap did not respond to CISA's request for coordination. For more information, contact Chargemap through their support page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.