CVE-2024-21550
📋 TL;DR
CVE-2024-21550 is a persistent cross-site scripting (XSS) vulnerability in the SteVe electric vehicle charging management platform. Attackers can inject malicious HTML and JavaScript via WebSockets, which gets stored and executed when administrators view the management interface. This affects all organizations using vulnerable versions of SteVe for EV charging infrastructure management.
💻 Affected Systems
- SteVe (SteVe EV Charging Management Platform)
📦 What is this software?
Steve by Steve Community
Steve by Steve Community
Steve by Steve Community
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as administrators, install backdoors, or redirect users to malicious sites, potentially compromising the entire EV charging management system.
Likely Case
Attackers steal administrator credentials or session tokens to gain unauthorized access to the management interface, potentially manipulating charging operations or accessing sensitive data.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized, preventing execution while maintaining legitimate functionality.
🎯 Exploit Status
Exploitation requires access to the WebSocket interface, which typically requires some level of access to the management system. The vulnerability is straightforward to exploit once an attacker can send WebSocket messages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit a79983f843c37705182c8f54eba060c1dce3b6d1
Vendor Advisory: https://github.com/steve-community/steve/issues/1526
Restart Required: Yes
Instructions:
1. Update to the latest SteVe version containing commit a79983f843c37705182c8f54eba060c1dce3b6d1
2. Restart the SteVe application
3. Verify the fix by checking that WebSocketConfiguration.java line 69 has proper input validation
🔧 Temporary Workarounds
Disable WebSocket functionality
allTemporarily disable WebSocket connections to prevent exploitation while patching
Modify WebSocketConfiguration.java to disable WebSocket endpoints
Comment out @EnableWebSocketMessageBroker annotation
Implement WAF rules
allConfigure web application firewall to block malicious WebSocket payloads containing script tags and JavaScript
Add WAF rules to detect and block: <script>, javascript:, onload=, onerror=
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution
- Isolate the SteVe management interface behind VPN or internal network only
🔍 How to Verify
Check if Vulnerable:
Check if your SteVe version includes the vulnerable WebSocketConfiguration.java code at line 69 without proper input validationCheck Version:
git log --oneline | grep a79983f843c37705182c8f54eba060c1dce3b6d1Verify Fix Applied:
Verify that commit a79983f843c37705182c8f54eba060c1dce3b6d1 is present in your codebase and that WebSocket input is properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual WebSocket connection patterns
- WebSocket messages containing script tags or JavaScript code
- Multiple failed authentication attempts followed by WebSocket connections
Network Indicators:
- WebSocket traffic containing base64 encoded payloads
- Unusual WebSocket message sizes or frequencies
- WebSocket connections from unexpected IP addresses
SIEM Query:
source="steve.logs" AND (message="WebSocket" AND (message="<script>" OR message="javascript:"))🔗 References
- https://github.com/steve-community/steve/blob/steve-3.6.0/src/main/java/de/rwth/idsg/steve/config/WebSocketConfiguration.java#L69
- https://github.com/steve-community/steve/commit/a79983f843c37705182c8f54eba060c1dce3b6d1
- https://github.com/steve-community/steve/issues/1526
- https://github.com/steve-community/steve/pull/1527
