![]() IPM software does not sanitize the date provided via the “coverterCheckList” function in meta_driver_srv.js class. 3.2.6 CODE INJECTION CWE-94Įaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to an unauthenticated remote code execution vulnerability. A CVSS v3 base score of 8.0 has been calculated the CVSS vector string is ( AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability.ĬVE-2021-23280 has been assigned to this vulnerability. IPM’s maps_srv.js allows an attacker to upload a malicious NodeJS file using the “uploadBackground” function. 3.2.5 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434Įaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to an authenticated arbitrary file upload vulnerability. A CVSS v3 base score of 8.0 has been calculated the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H). An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.ĬVE-2021-23279 has been assigned to this vulnerability. 3.2.4 IMPROPER INPUT VALIDATION CWE-20Įaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to an unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with the “saveDriverData” function using invalidated driverID. A CVSS v3 base score of 8.7 has been calculated the CVSS vector string is ( AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H). An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.ĬVE-2021-23278 has been assigned to this vulnerability. 3.2.3 IMPROPER INPUT VALIDATION CWE-20Įaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to an authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with the “removeBackground” function and server/node_upgrade_srv.js with the “removeFirmware” function. A CVSS v3 base score of 8.3 has been calculated the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). Successful exploitation can allow attackers to control the input to the function and execute attacker-controlled commands.ĬVE-2021-23277 has been assigned to this vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in the “loadUserFile” function under scripts/libs/utils.js. 3.2.2 EVAL INJECTION CWE-95Įaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to an unauthenticated eval injection vulnerability. A CVSS v3 base score of 7.1 has been calculated the CVSS vector string is ( AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation of this vulnerability can allow attackers to add users in the data base.ĬVE-2021-23276 has been assigned to this vulnerability. A malicious user can send a specially crafted packet to exploit this vulnerability. ![]() Eaton Intelligent Power Protector (IPP) – All versions prior to 1.68ģ.2 VULNERABILITY OVERVIEW 3.2.1 SQL INJECTION CWE-89Įaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection.Eaton Intelligent Power Manager Virtual Appliance (IPM VA) – All versions prior to 1.69.Eaton Intelligent Power Manager (IPM) – All versions prior to 1.69.TECHNICAL DETAILS 3.1 AFFECTED PRODUCTSĮaton reports these vulnerabilities affect the following Intelligent Power Manager products: Successful exploitation of these vulnerabilities could allow attackers to change certain settings, upload code, delete files, or execute commands. ![]()
0 Comments
Leave a Reply. |