Search criteria
14 vulnerabilities found for intelligent_power_protector by eaton
CVE-2021-23283 (GCVE-0-2021-23283)
Vulnerability from nvd – Published: 2022-04-19 20:26 – Updated: 2024-09-17 02:46
VLAI?
Title
Security issues in Eaton Intelligent Power Protector (IPP)
Summary
Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software.
Severity ?
5.2 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Eaton Intelligent Power Protector (IPP) |
Affected:
unspecified , < 1.69 release 166
(custom)
|
Credits
Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Eaton Intelligent Power Protector (IPP)",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69 release 166",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert"
}
],
"datePublic": "2022-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T20:26:41",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "Eaton has patched the security issue and new version of the affected software has been released. The latest version can be downloaded from below location: - Eaton IPP v1.69 https://www.eaton.com/us/en-us/products/backup-power-ups-surge-it-power-distribution/software-downloads.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Security issues in Eaton Intelligent Power Protector (IPP)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2022-03-01T02:10:00.000Z",
"ID": "CVE-2021-23283",
"STATE": "PUBLIC",
"TITLE": "Security issues in Eaton Intelligent Power Protector (IPP)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Eaton Intelligent Power Protector (IPP)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69 release 166"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "Eaton has patched the security issue and new version of the affected software has been released. The latest version can be downloaded from below location: - Eaton IPP v1.69 https://www.eaton.com/us/en-us/products/backup-power-ups-surge-it-power-distribution/software-downloads.html"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23283",
"datePublished": "2022-04-19T20:26:41.123099Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-17T02:46:39.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23288 (GCVE-0-2021-23288)
Vulnerability from nvd – Published: 2022-04-01 22:17 – Updated: 2024-09-16 19:14
VLAI?
Title
Security issues in Intelligent Power Protector
Summary
The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69.
Severity ?
5.6 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Intelligent Power Protector |
Affected:
unspecified , < 1.69
(custom)
|
Credits
Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - • CVE-2021-23288 – Andreas Finstad and Arthur Donkers
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intelligent Power Protector",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - \u2022 CVE-2021-23288 \u2013 Andreas Finstad and Arthur Donkers"
}
],
"datePublic": "2022-02-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-01T22:17:34",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location: -\nEaton IPM v1.69 \u2013 https://www.eaton.com/us/en-us/catalog/backup-power-ups-surge-it-power-distribution/eaton-intelligent-power-protector.resources.html"
}
],
"source": {
"advisory": "ETN-VA-2021-1002b",
"discovery": "EXTERNAL"
},
"title": "Security issues in Intelligent Power Protector",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2022-02-08T11:20:00.000Z",
"ID": "CVE-2021-23288",
"STATE": "PUBLIC",
"TITLE": "Security issues in Intelligent Power Protector"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Intelligent Power Protector",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - \u2022 CVE-2021-23288 \u2013 Andreas Finstad and Arthur Donkers"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location: -\nEaton IPM v1.69 \u2013 https://www.eaton.com/us/en-us/catalog/backup-power-ups-surge-it-power-distribution/eaton-intelligent-power-protector.resources.html"
}
],
"source": {
"advisory": "ETN-VA-2021-1002b",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23288",
"datePublished": "2022-04-01T22:17:34.614203Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T19:14:44.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23280 (GCVE-0-2021-23280)
Vulnerability from nvd – Published: 2021-04-13 18:04 – Updated: 2024-09-16 17:24
VLAI?
Title
Arbitrary File upload
Summary
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability.
Severity ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Intelligent Power manager (IPM) |
Affected:
unspecified , < 1.69
(custom)
|
Credits
Amir Preminger from Claroty research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.663Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intelligent Power manager (IPM)",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger from Claroty research"
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM\u2019s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:04:34",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"title": "Arbitrary File upload",
"workarounds": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Unrestricted Upload of File with Dangerous Type",
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
"ID": "CVE-2021-23280",
"STATE": "PUBLIC",
"TITLE": "Arbitrary File upload"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Intelligent Power manager (IPM)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger from Claroty research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM\u2019s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23280",
"datePublished": "2021-04-13T18:04:34.985878Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T17:24:07.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23279 (GCVE-0-2021-23279)
Vulnerability from nvd – Published: 2021-04-13 18:03 – Updated: 2024-09-16 17:18
VLAI?
Title
Arbitrary File delete
Summary
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Intelligent Power manager (IPM) |
Affected:
unspecified , < 1.69
(custom)
|
Credits
Amir Preminger from Claroty research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intelligent Power manager (IPM)",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger from Claroty research"
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:03:26",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"title": "Arbitrary File delete",
"workarounds": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Improper Input validation",
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
"ID": "CVE-2021-23279",
"STATE": "PUBLIC",
"TITLE": "Arbitrary File delete"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Intelligent Power manager (IPM)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger from Claroty research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23279",
"datePublished": "2021-04-13T18:03:26.395946Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T17:18:54.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23278 (GCVE-0-2021-23278)
Vulnerability from nvd – Published: 2021-04-13 18:02 – Updated: 2024-09-16 20:11
VLAI?
Title
Arbitrary File delete
Summary
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.
Severity ?
8.7 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Intelligent Power manager (IPM) |
Affected:
unspecified , < 1.69
(custom)
|
Credits
Amir Preminger from Claroty research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intelligent Power manager (IPM)",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger from Claroty research"
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:02:51",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"title": "Arbitrary File delete",
"workarounds": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Improper Input validation",
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
"ID": "CVE-2021-23278",
"STATE": "PUBLIC",
"TITLE": "Arbitrary File delete"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Intelligent Power manager (IPM)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger from Claroty research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23278",
"datePublished": "2021-04-13T18:02:51.932357Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T20:11:36.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23277 (GCVE-0-2021-23277)
Vulnerability from nvd – Published: 2021-04-13 18:04 – Updated: 2024-09-16 18:38
VLAI?
Title
Improper Neutralization of Directives in Dynamically Evaluated Code
Summary
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.
Severity ?
8.3 (High)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Intelligent Power manager (IPM) |
Affected:
unspecified , < 1.69
(custom)
|
Credits
Amir Preminger from Claroty research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.736Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intelligent Power manager (IPM)",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger from Claroty research"
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:04:16",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Directives in Dynamically Evaluated Code",
"workarounds": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Eval Injection",
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
"ID": "CVE-2021-23277",
"STATE": "PUBLIC",
"TITLE": "Improper Neutralization of Directives in Dynamically Evaluated Code"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Intelligent Power manager (IPM)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger from Claroty research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23277",
"datePublished": "2021-04-13T18:04:16.126158Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T18:38:30.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23276 (GCVE-0-2021-23276)
Vulnerability from nvd – Published: 2021-04-13 18:03 – Updated: 2024-09-17 02:22
VLAI?
Title
Improper Neutralization of Special Elements used in an SQL Command
Summary
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base.
Severity ?
7.1 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Intelligent Power manager (IPM) |
Affected:
unspecified , < 1.69
(custom)
|
Credits
Amir Preminger from Claroty research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:54.415Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intelligent Power manager (IPM)",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger from Claroty research"
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:03:08",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Special Elements used in an SQL Command",
"workarounds": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "SQL Injection",
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
"ID": "CVE-2021-23276",
"STATE": "PUBLIC",
"TITLE": "Improper Neutralization of Special Elements used in an SQL Command"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Intelligent Power manager (IPM)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger from Claroty research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23276",
"datePublished": "2021-04-13T18:03:08.524940Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-17T02:22:03.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23283 (GCVE-0-2021-23283)
Vulnerability from cvelistv5 – Published: 2022-04-19 20:26 – Updated: 2024-09-17 02:46
VLAI?
Title
Security issues in Eaton Intelligent Power Protector (IPP)
Summary
Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software.
Severity ?
5.2 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Eaton Intelligent Power Protector (IPP) |
Affected:
unspecified , < 1.69 release 166
(custom)
|
Credits
Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Eaton Intelligent Power Protector (IPP)",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69 release 166",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert"
}
],
"datePublic": "2022-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T20:26:41",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "Eaton has patched the security issue and new version of the affected software has been released. The latest version can be downloaded from below location: - Eaton IPP v1.69 https://www.eaton.com/us/en-us/products/backup-power-ups-surge-it-power-distribution/software-downloads.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Security issues in Eaton Intelligent Power Protector (IPP)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2022-03-01T02:10:00.000Z",
"ID": "CVE-2021-23283",
"STATE": "PUBLIC",
"TITLE": "Security issues in Eaton Intelligent Power Protector (IPP)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Eaton Intelligent Power Protector (IPP)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69 release 166"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "Eaton has patched the security issue and new version of the affected software has been released. The latest version can be downloaded from below location: - Eaton IPP v1.69 https://www.eaton.com/us/en-us/products/backup-power-ups-surge-it-power-distribution/software-downloads.html"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23283",
"datePublished": "2022-04-19T20:26:41.123099Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-17T02:46:39.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23288 (GCVE-0-2021-23288)
Vulnerability from cvelistv5 – Published: 2022-04-01 22:17 – Updated: 2024-09-16 19:14
VLAI?
Title
Security issues in Intelligent Power Protector
Summary
The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69.
Severity ?
5.6 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Intelligent Power Protector |
Affected:
unspecified , < 1.69
(custom)
|
Credits
Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - • CVE-2021-23288 – Andreas Finstad and Arthur Donkers
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intelligent Power Protector",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - \u2022 CVE-2021-23288 \u2013 Andreas Finstad and Arthur Donkers"
}
],
"datePublic": "2022-02-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-01T22:17:34",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location: -\nEaton IPM v1.69 \u2013 https://www.eaton.com/us/en-us/catalog/backup-power-ups-surge-it-power-distribution/eaton-intelligent-power-protector.resources.html"
}
],
"source": {
"advisory": "ETN-VA-2021-1002b",
"discovery": "EXTERNAL"
},
"title": "Security issues in Intelligent Power Protector",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2022-02-08T11:20:00.000Z",
"ID": "CVE-2021-23288",
"STATE": "PUBLIC",
"TITLE": "Security issues in Intelligent Power Protector"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Intelligent Power Protector",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - \u2022 CVE-2021-23288 \u2013 Andreas Finstad and Arthur Donkers"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location: -\nEaton IPM v1.69 \u2013 https://www.eaton.com/us/en-us/catalog/backup-power-ups-surge-it-power-distribution/eaton-intelligent-power-protector.resources.html"
}
],
"source": {
"advisory": "ETN-VA-2021-1002b",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23288",
"datePublished": "2022-04-01T22:17:34.614203Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T19:14:44.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23280 (GCVE-0-2021-23280)
Vulnerability from cvelistv5 – Published: 2021-04-13 18:04 – Updated: 2024-09-16 17:24
VLAI?
Title
Arbitrary File upload
Summary
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability.
Severity ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Intelligent Power manager (IPM) |
Affected:
unspecified , < 1.69
(custom)
|
Credits
Amir Preminger from Claroty research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.663Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intelligent Power manager (IPM)",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger from Claroty research"
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM\u2019s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:04:34",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"title": "Arbitrary File upload",
"workarounds": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Unrestricted Upload of File with Dangerous Type",
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
"ID": "CVE-2021-23280",
"STATE": "PUBLIC",
"TITLE": "Arbitrary File upload"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Intelligent Power manager (IPM)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger from Claroty research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM\u2019s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23280",
"datePublished": "2021-04-13T18:04:34.985878Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T17:24:07.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23277 (GCVE-0-2021-23277)
Vulnerability from cvelistv5 – Published: 2021-04-13 18:04 – Updated: 2024-09-16 18:38
VLAI?
Title
Improper Neutralization of Directives in Dynamically Evaluated Code
Summary
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.
Severity ?
8.3 (High)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Intelligent Power manager (IPM) |
Affected:
unspecified , < 1.69
(custom)
|
Credits
Amir Preminger from Claroty research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.736Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intelligent Power manager (IPM)",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger from Claroty research"
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:04:16",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Directives in Dynamically Evaluated Code",
"workarounds": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Eval Injection",
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
"ID": "CVE-2021-23277",
"STATE": "PUBLIC",
"TITLE": "Improper Neutralization of Directives in Dynamically Evaluated Code"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Intelligent Power manager (IPM)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger from Claroty research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23277",
"datePublished": "2021-04-13T18:04:16.126158Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T18:38:30.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23279 (GCVE-0-2021-23279)
Vulnerability from cvelistv5 – Published: 2021-04-13 18:03 – Updated: 2024-09-16 17:18
VLAI?
Title
Arbitrary File delete
Summary
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Intelligent Power manager (IPM) |
Affected:
unspecified , < 1.69
(custom)
|
Credits
Amir Preminger from Claroty research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intelligent Power manager (IPM)",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger from Claroty research"
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:03:26",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"title": "Arbitrary File delete",
"workarounds": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Improper Input validation",
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
"ID": "CVE-2021-23279",
"STATE": "PUBLIC",
"TITLE": "Arbitrary File delete"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Intelligent Power manager (IPM)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger from Claroty research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23279",
"datePublished": "2021-04-13T18:03:26.395946Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T17:18:54.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23276 (GCVE-0-2021-23276)
Vulnerability from cvelistv5 – Published: 2021-04-13 18:03 – Updated: 2024-09-17 02:22
VLAI?
Title
Improper Neutralization of Special Elements used in an SQL Command
Summary
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base.
Severity ?
7.1 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Intelligent Power manager (IPM) |
Affected:
unspecified , < 1.69
(custom)
|
Credits
Amir Preminger from Claroty research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:54.415Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intelligent Power manager (IPM)",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger from Claroty research"
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:03:08",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Special Elements used in an SQL Command",
"workarounds": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "SQL Injection",
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
"ID": "CVE-2021-23276",
"STATE": "PUBLIC",
"TITLE": "Improper Neutralization of Special Elements used in an SQL Command"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Intelligent Power manager (IPM)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger from Claroty research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23276",
"datePublished": "2021-04-13T18:03:08.524940Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-17T02:22:03.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23278 (GCVE-0-2021-23278)
Vulnerability from cvelistv5 – Published: 2021-04-13 18:02 – Updated: 2024-09-16 20:11
VLAI?
Title
Arbitrary File delete
Summary
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.
Severity ?
8.7 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Intelligent Power manager (IPM) |
Affected:
unspecified , < 1.69
(custom)
|
Credits
Amir Preminger from Claroty research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intelligent Power manager (IPM)",
"vendor": "Eaton",
"versions": [
{
"lessThan": "1.69",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger from Claroty research"
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:02:51",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"title": "Arbitrary File delete",
"workarounds": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Improper Input validation",
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
"ID": "CVE-2021-23278",
"STATE": "PUBLIC",
"TITLE": "Arbitrary File delete"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Intelligent Power manager (IPM)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.69"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger from Claroty research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "upgrade the software to latest version 1.69"
}
],
"source": {
"advisory": "ETN-VA-2021-1000",
"defect": [
"ETN-VA-2021-1000"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2021-23278",
"datePublished": "2021-04-13T18:02:51.932357Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T20:11:36.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}