Search

Find a vulnerability

Search criteria

    24 vulnerabilities found for intelligent_power_protector by eaton

    CVE-2026-22619 (GCVE-0-2026-22619)

    Vulnerability from nvd – Published: 2026-04-16 05:26 – Updated: 2026-04-16 12:59
    VLAI
    Summary
    Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download center.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-427 - Uncontrolled Search Path Element
    Assigner
    Impacted products
    Vendor Product Version
    Eaton IPP software Affected: 0 , < 2.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22619",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T12:59:18.272669Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-427",
                    "description": "CWE-427 Uncontrolled Search Path Element",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T12:59:37.700Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IPP software",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eEaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package.\u0026nbsp;\u003cspan\u003eThis security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download center.\u003c/span\u003e\u003c/div\u003e"
                }
              ],
              "value": "Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package.\u00a0This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download center."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T05:26:48.952Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2026-22619",
        "datePublished": "2026-04-16T05:26:48.952Z",
        "dateReserved": "2026-01-08T04:55:11.730Z",
        "dateUpdated": "2026-04-16T12:59:37.700Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22618 (GCVE-0-2026-22618)

    Vulnerability from nvd – Published: 2026-04-16 05:11 – Updated: 2026-04-16 13:10
    VLAI
    Summary
    A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-358 - Improperly implemented security check for standard
    Assigner
    Impacted products
    Vendor Product Version
    Eaton IPP software Affected: 0 , < 2.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22618",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T13:08:42.475365Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T13:10:01.651Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IPP software",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eA security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web\u2011based attacks.\u0026nbsp;\u003cspan\u003eThis security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.\u003c/span\u003e\u003c/div\u003e"
                }
              ],
              "value": "A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web\u2011based attacks.\u00a0This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-358",
                  "description": "CWE-358 Improperly implemented security check for standard",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T05:11:06.548Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2026-22618",
        "datePublished": "2026-04-16T05:11:06.548Z",
        "dateReserved": "2026-01-08T04:55:11.730Z",
        "dateUpdated": "2026-04-16T13:10:01.651Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22617 (GCVE-0-2026-22617)

    Vulnerability from nvd – Published: 2026-04-16 05:02 – Updated: 2026-04-16 13:23
    VLAI
    Summary
    Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-614 - Sensitive cookie in HTTPS session without 'secure' attribute
    Assigner
    Impacted products
    Vendor Product Version
    Eaton IPP Software Affected: 0 , < 2.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22617",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T13:20:03.215264Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T13:23:29.510Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IPP Software",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eEaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network\u2011based attacker to intercept the cookie and exploit it through a man\u2011in\u2011the\u2011middle attack.\u0026nbsp;\u003cspan\u003eThis security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.\u003c/span\u003e\u003c/div\u003e"
                }
              ],
              "value": "Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network\u2011based attacker to intercept the cookie and exploit it through a man\u2011in\u2011the\u2011middle attack.\u00a0This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-614",
                  "description": "CWE-614 Sensitive cookie in HTTPS session without \u0027secure\u0027 attribute",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T05:02:07.710Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2026-22617",
        "datePublished": "2026-04-16T05:02:07.710Z",
        "dateReserved": "2026-01-08T04:55:11.729Z",
        "dateUpdated": "2026-04-16T13:23:29.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22616 (GCVE-0-2026-22616)

    Vulnerability from nvd – Published: 2026-04-16 04:54 – Updated: 2026-04-16 13:30
    VLAI
    Summary
    Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-307 - Improper restriction of excessive authentication attempts
    Assigner
    Impacted products
    Vendor Product Version
    Eaton IPP Software Affected: 0 , < 2.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22616",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T13:23:56.166508Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T13:30:12.024Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IPP Software",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEaton\u0026nbsp;\u003cspan\u003eIntelligent Power Protector (IPP)\u003c/span\u003e\u003cspan\u003e\u0026nbsp;software\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eallows repeated authentication attempts against the web interface login page due to insufficient rate\u2011limiting controls.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eThis security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre.\u003c/span\u003e\u003c/p\u003e"
                }
              ],
              "value": "Eaton\u00a0Intelligent Power Protector (IPP)\u00a0software\u00a0allows repeated authentication attempts against the web interface login page due to insufficient rate\u2011limiting controls.\u00a0This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307 Improper restriction of excessive authentication attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T04:54:48.148Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2026-22616",
        "datePublished": "2026-04-16T04:54:48.148Z",
        "dateReserved": "2026-01-08T04:55:11.728Z",
        "dateUpdated": "2026-04-16T13:30:12.024Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22615 (GCVE-0-2026-22615)

    Vulnerability from nvd – Published: 2026-04-16 04:45 – Updated: 2026-04-16 12:59
    VLAI
    Summary
    Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    Assigner
    Impacted products
    Vendor Product Version
    Eaton IPP Software Affected: 0 , < 2.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22615",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T12:59:53.063682Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T12:59:58.829Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IPP Software",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan\u003eDue to improper\ninput validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is\npossible for an attacker with admin privileges and access to the local system to\ninject malicious code resulting in arbitrary command execution.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eThis security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.\u003c/span\u003e\u003c/p\u003e"
                }
              ],
              "value": "Due to improper\ninput validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is\npossible for an attacker with admin privileges and access to the local system to\ninject malicious code resulting in arbitrary command execution.\u00a0This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T04:45:58.055Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2026-22615",
        "datePublished": "2026-04-16T04:45:58.055Z",
        "dateReserved": "2026-01-08T04:55:11.728Z",
        "dateUpdated": "2026-04-16T12:59:58.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-23283 (GCVE-0-2021-23283)

    Vulnerability from nvd – Published: 2022-04-19 20:26 – Updated: 2024-09-17 02:46
    VLAI
    Title
    Security issues in Eaton Intelligent Power Protector (IPP)
    Summary
    Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Eaton Intelligent Power Protector (IPP) Affected: unspecified , < 1.69 release 166 (custom)
    Create a notification for this product.
    Date Public
    2022-03-01 00:00
    Credits
    Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.592Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Eaton Intelligent Power Protector (IPP)",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69 release 166",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert"
            }
          ],
          "datePublic": "2022-03-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-19T20:26:41.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Eaton has patched the security issue and new version of the affected software has been released. The latest version can be downloaded from below location: - Eaton IPP v1.69 https://www.eaton.com/us/en-us/products/backup-power-ups-surge-it-power-distribution/software-downloads.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Security issues in Eaton Intelligent Power Protector (IPP)",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2022-03-01T02:10:00.000Z",
              "ID": "CVE-2021-23283",
              "STATE": "PUBLIC",
              "TITLE": "Security issues in Eaton Intelligent Power Protector (IPP)"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Eaton Intelligent Power Protector (IPP)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69 release 166"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Eaton has patched the security issue and new version of the affected software has been released. The latest version can be downloaded from below location: - Eaton IPP v1.69 https://www.eaton.com/us/en-us/products/backup-power-ups-surge-it-power-distribution/software-downloads.html"
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23283",
        "datePublished": "2022-04-19T20:26:41.123Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:46:39.591Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23288 (GCVE-0-2021-23288)

    Vulnerability from nvd – Published: 2022-04-01 22:17 – Updated: 2024-09-16 19:14
    VLAI
    Title
    Security issues in Intelligent Power Protector
    Summary
    The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Intelligent Power Protector Affected: unspecified , < 1.69 (custom)
    Create a notification for this product.
    Date Public
    2022-02-08 00:00
    Credits
    Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - • CVE-2021-23288 – Andreas Finstad and Arthur Donkers
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.288Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Intelligent Power Protector",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - \u2022 CVE-2021-23288 \u2013 Andreas Finstad and Arthur Donkers"
            }
          ],
          "datePublic": "2022-02-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-01T22:17:34.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location: -\nEaton IPM v1.69 \u2013 https://www.eaton.com/us/en-us/catalog/backup-power-ups-surge-it-power-distribution/eaton-intelligent-power-protector.resources.html"
            }
          ],
          "source": {
            "advisory": "ETN-VA-2021-1002b",
            "discovery": "EXTERNAL"
          },
          "title": "Security issues in Intelligent Power Protector",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2022-02-08T11:20:00.000Z",
              "ID": "CVE-2021-23288",
              "STATE": "PUBLIC",
              "TITLE": "Security issues in Intelligent Power Protector"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Intelligent Power Protector",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - \u2022 CVE-2021-23288 \u2013 Andreas Finstad and Arthur Donkers"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location: -\nEaton IPM v1.69 \u2013 https://www.eaton.com/us/en-us/catalog/backup-power-ups-surge-it-power-distribution/eaton-intelligent-power-protector.resources.html"
              }
            ],
            "source": {
              "advisory": "ETN-VA-2021-1002b",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23288",
        "datePublished": "2022-04-01T22:17:34.614Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:14:44.585Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23280 (GCVE-0-2021-23280)

    Vulnerability from nvd – Published: 2021-04-13 18:04 – Updated: 2024-09-16 17:24
    VLAI
    Title
    Arbitrary File upload
    Summary
    Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability.
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Intelligent Power manager (IPM) Affected: unspecified , < 1.69 (custom)
    Create a notification for this product.
    Date Public
    2021-04-01 00:00
    Credits
    Amir Preminger from Claroty research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.663Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Intelligent Power manager (IPM)",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Amir Preminger from Claroty research"
            }
          ],
          "datePublic": "2021-04-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM\u2019s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-13T18:04:34.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "upgrade the software to latest version 1.69"
            }
          ],
          "source": {
            "advisory": "ETN-VA-2021-1000",
            "defect": [
              "ETN-VA-2021-1000"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary File upload",
          "workarounds": [
            {
              "lang": "en",
              "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "Unrestricted Upload of File with Dangerous Type",
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
              "ID": "CVE-2021-23280",
              "STATE": "PUBLIC",
              "TITLE": "Arbitrary File upload"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Intelligent Power manager (IPM)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Amir Preminger from Claroty research"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM\u2019s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "upgrade the software to latest version 1.69"
              }
            ],
            "source": {
              "advisory": "ETN-VA-2021-1000",
              "defect": [
                "ETN-VA-2021-1000"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23280",
        "datePublished": "2021-04-13T18:04:34.985Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:24:07.762Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23279 (GCVE-0-2021-23279)

    Vulnerability from nvd – Published: 2021-04-13 18:03 – Updated: 2024-09-16 17:18
    VLAI
    Title
    Arbitrary File delete
    Summary
    Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Intelligent Power manager (IPM) Affected: unspecified , < 1.69 (custom)
    Create a notification for this product.
    Date Public
    2021-04-01 00:00
    Credits
    Amir Preminger from Claroty research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.624Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Intelligent Power manager (IPM)",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Amir Preminger from Claroty research"
            }
          ],
          "datePublic": "2021-04-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-13T18:03:26.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "upgrade the software to latest version 1.69"
            }
          ],
          "source": {
            "advisory": "ETN-VA-2021-1000",
            "defect": [
              "ETN-VA-2021-1000"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary File delete",
          "workarounds": [
            {
              "lang": "en",
              "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "Improper Input validation",
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
              "ID": "CVE-2021-23279",
              "STATE": "PUBLIC",
              "TITLE": "Arbitrary File delete"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Intelligent Power manager (IPM)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Amir Preminger from Claroty research"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "upgrade the software to latest version 1.69"
              }
            ],
            "source": {
              "advisory": "ETN-VA-2021-1000",
              "defect": [
                "ETN-VA-2021-1000"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23279",
        "datePublished": "2021-04-13T18:03:26.395Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:18:54.414Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23278 (GCVE-0-2021-23278)

    Vulnerability from nvd – Published: 2021-04-13 18:02 – Updated: 2024-09-16 20:11
    VLAI
    Title
    Arbitrary File delete
    Summary
    Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Intelligent Power manager (IPM) Affected: unspecified , < 1.69 (custom)
    Create a notification for this product.
    Date Public
    2021-04-01 00:00
    Credits
    Amir Preminger from Claroty research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.635Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Intelligent Power manager (IPM)",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Amir Preminger from Claroty research"
            }
          ],
          "datePublic": "2021-04-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-13T18:02:51.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "upgrade the software to latest version 1.69"
            }
          ],
          "source": {
            "advisory": "ETN-VA-2021-1000",
            "defect": [
              "ETN-VA-2021-1000"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary File delete",
          "workarounds": [
            {
              "lang": "en",
              "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "Improper Input validation",
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
              "ID": "CVE-2021-23278",
              "STATE": "PUBLIC",
              "TITLE": "Arbitrary File delete"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Intelligent Power manager (IPM)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Amir Preminger from Claroty research"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "upgrade the software to latest version 1.69"
              }
            ],
            "source": {
              "advisory": "ETN-VA-2021-1000",
              "defect": [
                "ETN-VA-2021-1000"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23278",
        "datePublished": "2021-04-13T18:02:51.932Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-16T20:11:36.112Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23277 (GCVE-0-2021-23277)

    Vulnerability from nvd – Published: 2021-04-13 18:04 – Updated: 2024-09-16 18:38
    VLAI
    Title
    Improper Neutralization of Directives in Dynamically Evaluated Code
    Summary
    Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.
    CWE
    • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Intelligent Power manager (IPM) Affected: unspecified , < 1.69 (custom)
    Create a notification for this product.
    Date Public
    2021-04-01 00:00
    Credits
    Amir Preminger from Claroty research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.736Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Intelligent Power manager (IPM)",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Amir Preminger from Claroty research"
            }
          ],
          "datePublic": "2021-04-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-95",
                  "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-13T18:04:16.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "upgrade the software to latest version 1.69"
            }
          ],
          "source": {
            "advisory": "ETN-VA-2021-1000",
            "defect": [
              "ETN-VA-2021-1000"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Improper Neutralization of Directives in Dynamically Evaluated Code",
          "workarounds": [
            {
              "lang": "en",
              "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "Eval Injection",
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
              "ID": "CVE-2021-23277",
              "STATE": "PUBLIC",
              "TITLE": "Improper Neutralization of Directives in Dynamically Evaluated Code"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Intelligent Power manager (IPM)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Amir Preminger from Claroty research"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "upgrade the software to latest version 1.69"
              }
            ],
            "source": {
              "advisory": "ETN-VA-2021-1000",
              "defect": [
                "ETN-VA-2021-1000"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23277",
        "datePublished": "2021-04-13T18:04:16.126Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:38:30.132Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23276 (GCVE-0-2021-23276)

    Vulnerability from nvd – Published: 2021-04-13 18:03 – Updated: 2024-09-17 02:22
    VLAI
    Title
    Improper Neutralization of Special Elements used in an SQL Command
    Summary
    Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Intelligent Power manager (IPM) Affected: unspecified , < 1.69 (custom)
    Create a notification for this product.
    Date Public
    2021-04-01 00:00
    Credits
    Amir Preminger from Claroty research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:54.415Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Intelligent Power manager (IPM)",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Amir Preminger from Claroty research"
            }
          ],
          "datePublic": "2021-04-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-13T18:03:08.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "upgrade the software to latest version 1.69"
            }
          ],
          "source": {
            "advisory": "ETN-VA-2021-1000",
            "defect": [
              "ETN-VA-2021-1000"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Improper Neutralization of Special Elements used in an SQL Command",
          "workarounds": [
            {
              "lang": "en",
              "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "SQL Injection",
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
              "ID": "CVE-2021-23276",
              "STATE": "PUBLIC",
              "TITLE": "Improper Neutralization of Special Elements used in an SQL Command"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Intelligent Power manager (IPM)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Amir Preminger from Claroty research"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "upgrade the software to latest version 1.69"
              }
            ],
            "source": {
              "advisory": "ETN-VA-2021-1000",
              "defect": [
                "ETN-VA-2021-1000"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23276",
        "datePublished": "2021-04-13T18:03:08.524Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:22:03.243Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-22619 (GCVE-0-2026-22619)

    Vulnerability from cvelistv5 – Published: 2026-04-16 05:26 – Updated: 2026-04-16 12:59
    VLAI
    Summary
    Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download center.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-427 - Uncontrolled Search Path Element
    Assigner
    Impacted products
    Vendor Product Version
    Eaton IPP software Affected: 0 , < 2.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22619",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T12:59:18.272669Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-427",
                    "description": "CWE-427 Uncontrolled Search Path Element",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T12:59:37.700Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IPP software",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eEaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package.\u0026nbsp;\u003cspan\u003eThis security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download center.\u003c/span\u003e\u003c/div\u003e"
                }
              ],
              "value": "Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package.\u00a0This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download center."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T05:26:48.952Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2026-22619",
        "datePublished": "2026-04-16T05:26:48.952Z",
        "dateReserved": "2026-01-08T04:55:11.730Z",
        "dateUpdated": "2026-04-16T12:59:37.700Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22618 (GCVE-0-2026-22618)

    Vulnerability from cvelistv5 – Published: 2026-04-16 05:11 – Updated: 2026-04-16 13:10
    VLAI
    Summary
    A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-358 - Improperly implemented security check for standard
    Assigner
    Impacted products
    Vendor Product Version
    Eaton IPP software Affected: 0 , < 2.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22618",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T13:08:42.475365Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T13:10:01.651Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IPP software",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eA security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web\u2011based attacks.\u0026nbsp;\u003cspan\u003eThis security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.\u003c/span\u003e\u003c/div\u003e"
                }
              ],
              "value": "A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web\u2011based attacks.\u00a0This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-358",
                  "description": "CWE-358 Improperly implemented security check for standard",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T05:11:06.548Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2026-22618",
        "datePublished": "2026-04-16T05:11:06.548Z",
        "dateReserved": "2026-01-08T04:55:11.730Z",
        "dateUpdated": "2026-04-16T13:10:01.651Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22617 (GCVE-0-2026-22617)

    Vulnerability from cvelistv5 – Published: 2026-04-16 05:02 – Updated: 2026-04-16 13:23
    VLAI
    Summary
    Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-614 - Sensitive cookie in HTTPS session without 'secure' attribute
    Assigner
    Impacted products
    Vendor Product Version
    Eaton IPP Software Affected: 0 , < 2.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22617",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T13:20:03.215264Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T13:23:29.510Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IPP Software",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eEaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network\u2011based attacker to intercept the cookie and exploit it through a man\u2011in\u2011the\u2011middle attack.\u0026nbsp;\u003cspan\u003eThis security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.\u003c/span\u003e\u003c/div\u003e"
                }
              ],
              "value": "Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network\u2011based attacker to intercept the cookie and exploit it through a man\u2011in\u2011the\u2011middle attack.\u00a0This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-614",
                  "description": "CWE-614 Sensitive cookie in HTTPS session without \u0027secure\u0027 attribute",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T05:02:07.710Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2026-22617",
        "datePublished": "2026-04-16T05:02:07.710Z",
        "dateReserved": "2026-01-08T04:55:11.729Z",
        "dateUpdated": "2026-04-16T13:23:29.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22616 (GCVE-0-2026-22616)

    Vulnerability from cvelistv5 – Published: 2026-04-16 04:54 – Updated: 2026-04-16 13:30
    VLAI
    Summary
    Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-307 - Improper restriction of excessive authentication attempts
    Assigner
    Impacted products
    Vendor Product Version
    Eaton IPP Software Affected: 0 , < 2.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22616",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T13:23:56.166508Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T13:30:12.024Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IPP Software",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEaton\u0026nbsp;\u003cspan\u003eIntelligent Power Protector (IPP)\u003c/span\u003e\u003cspan\u003e\u0026nbsp;software\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eallows repeated authentication attempts against the web interface login page due to insufficient rate\u2011limiting controls.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eThis security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre.\u003c/span\u003e\u003c/p\u003e"
                }
              ],
              "value": "Eaton\u00a0Intelligent Power Protector (IPP)\u00a0software\u00a0allows repeated authentication attempts against the web interface login page due to insufficient rate\u2011limiting controls.\u00a0This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307 Improper restriction of excessive authentication attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T04:54:48.148Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2026-22616",
        "datePublished": "2026-04-16T04:54:48.148Z",
        "dateReserved": "2026-01-08T04:55:11.728Z",
        "dateUpdated": "2026-04-16T13:30:12.024Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22615 (GCVE-0-2026-22615)

    Vulnerability from cvelistv5 – Published: 2026-04-16 04:45 – Updated: 2026-04-16 12:59
    VLAI
    Summary
    Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    Assigner
    Impacted products
    Vendor Product Version
    Eaton IPP Software Affected: 0 , < 2.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22615",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T12:59:53.063682Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T12:59:58.829Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IPP Software",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan\u003eDue to improper\ninput validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is\npossible for an attacker with admin privileges and access to the local system to\ninject malicious code resulting in arbitrary command execution.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eThis security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.\u003c/span\u003e\u003c/p\u003e"
                }
              ],
              "value": "Due to improper\ninput validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is\npossible for an attacker with admin privileges and access to the local system to\ninject malicious code resulting in arbitrary command execution.\u00a0This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T04:45:58.055Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2026-22615",
        "datePublished": "2026-04-16T04:45:58.055Z",
        "dateReserved": "2026-01-08T04:55:11.728Z",
        "dateUpdated": "2026-04-16T12:59:58.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-23283 (GCVE-0-2021-23283)

    Vulnerability from cvelistv5 – Published: 2022-04-19 20:26 – Updated: 2024-09-17 02:46
    VLAI
    Title
    Security issues in Eaton Intelligent Power Protector (IPP)
    Summary
    Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Eaton Intelligent Power Protector (IPP) Affected: unspecified , < 1.69 release 166 (custom)
    Create a notification for this product.
    Date Public
    2022-03-01 00:00
    Credits
    Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.592Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Eaton Intelligent Power Protector (IPP)",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69 release 166",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert"
            }
          ],
          "datePublic": "2022-03-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-19T20:26:41.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Eaton has patched the security issue and new version of the affected software has been released. The latest version can be downloaded from below location: - Eaton IPP v1.69 https://www.eaton.com/us/en-us/products/backup-power-ups-surge-it-power-distribution/software-downloads.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Security issues in Eaton Intelligent Power Protector (IPP)",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2022-03-01T02:10:00.000Z",
              "ID": "CVE-2021-23283",
              "STATE": "PUBLIC",
              "TITLE": "Security issues in Eaton Intelligent Power Protector (IPP)"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Eaton Intelligent Power Protector (IPP)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69 release 166"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Eaton has patched the security issue and new version of the affected software has been released. The latest version can be downloaded from below location: - Eaton IPP v1.69 https://www.eaton.com/us/en-us/products/backup-power-ups-surge-it-power-distribution/software-downloads.html"
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23283",
        "datePublished": "2022-04-19T20:26:41.123Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:46:39.591Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23288 (GCVE-0-2021-23288)

    Vulnerability from cvelistv5 – Published: 2022-04-01 22:17 – Updated: 2024-09-16 19:14
    VLAI
    Title
    Security issues in Intelligent Power Protector
    Summary
    The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Intelligent Power Protector Affected: unspecified , < 1.69 (custom)
    Create a notification for this product.
    Date Public
    2022-02-08 00:00
    Credits
    Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - • CVE-2021-23288 – Andreas Finstad and Arthur Donkers
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.288Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Intelligent Power Protector",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - \u2022 CVE-2021-23288 \u2013 Andreas Finstad and Arthur Donkers"
            }
          ],
          "datePublic": "2022-02-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-01T22:17:34.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location: -\nEaton IPM v1.69 \u2013 https://www.eaton.com/us/en-us/catalog/backup-power-ups-surge-it-power-distribution/eaton-intelligent-power-protector.resources.html"
            }
          ],
          "source": {
            "advisory": "ETN-VA-2021-1002b",
            "discovery": "EXTERNAL"
          },
          "title": "Security issues in Intelligent Power Protector",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2022-02-08T11:20:00.000Z",
              "ID": "CVE-2021-23288",
              "STATE": "PUBLIC",
              "TITLE": "Security issues in Intelligent Power Protector"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Intelligent Power Protector",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - \u2022 CVE-2021-23288 \u2013 Andreas Finstad and Arthur Donkers"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location: -\nEaton IPM v1.69 \u2013 https://www.eaton.com/us/en-us/catalog/backup-power-ups-surge-it-power-distribution/eaton-intelligent-power-protector.resources.html"
              }
            ],
            "source": {
              "advisory": "ETN-VA-2021-1002b",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23288",
        "datePublished": "2022-04-01T22:17:34.614Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:14:44.585Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23280 (GCVE-0-2021-23280)

    Vulnerability from cvelistv5 – Published: 2021-04-13 18:04 – Updated: 2024-09-16 17:24
    VLAI
    Title
    Arbitrary File upload
    Summary
    Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability.
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Intelligent Power manager (IPM) Affected: unspecified , < 1.69 (custom)
    Create a notification for this product.
    Date Public
    2021-04-01 00:00
    Credits
    Amir Preminger from Claroty research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.663Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Intelligent Power manager (IPM)",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Amir Preminger from Claroty research"
            }
          ],
          "datePublic": "2021-04-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM\u2019s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-13T18:04:34.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "upgrade the software to latest version 1.69"
            }
          ],
          "source": {
            "advisory": "ETN-VA-2021-1000",
            "defect": [
              "ETN-VA-2021-1000"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary File upload",
          "workarounds": [
            {
              "lang": "en",
              "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "Unrestricted Upload of File with Dangerous Type",
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
              "ID": "CVE-2021-23280",
              "STATE": "PUBLIC",
              "TITLE": "Arbitrary File upload"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Intelligent Power manager (IPM)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Amir Preminger from Claroty research"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM\u2019s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "upgrade the software to latest version 1.69"
              }
            ],
            "source": {
              "advisory": "ETN-VA-2021-1000",
              "defect": [
                "ETN-VA-2021-1000"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23280",
        "datePublished": "2021-04-13T18:04:34.985Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:24:07.762Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23277 (GCVE-0-2021-23277)

    Vulnerability from cvelistv5 – Published: 2021-04-13 18:04 – Updated: 2024-09-16 18:38
    VLAI
    Title
    Improper Neutralization of Directives in Dynamically Evaluated Code
    Summary
    Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.
    CWE
    • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Intelligent Power manager (IPM) Affected: unspecified , < 1.69 (custom)
    Create a notification for this product.
    Date Public
    2021-04-01 00:00
    Credits
    Amir Preminger from Claroty research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.736Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Intelligent Power manager (IPM)",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Amir Preminger from Claroty research"
            }
          ],
          "datePublic": "2021-04-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-95",
                  "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-13T18:04:16.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "upgrade the software to latest version 1.69"
            }
          ],
          "source": {
            "advisory": "ETN-VA-2021-1000",
            "defect": [
              "ETN-VA-2021-1000"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Improper Neutralization of Directives in Dynamically Evaluated Code",
          "workarounds": [
            {
              "lang": "en",
              "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "Eval Injection",
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
              "ID": "CVE-2021-23277",
              "STATE": "PUBLIC",
              "TITLE": "Improper Neutralization of Directives in Dynamically Evaluated Code"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Intelligent Power manager (IPM)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Amir Preminger from Claroty research"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "upgrade the software to latest version 1.69"
              }
            ],
            "source": {
              "advisory": "ETN-VA-2021-1000",
              "defect": [
                "ETN-VA-2021-1000"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23277",
        "datePublished": "2021-04-13T18:04:16.126Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:38:30.132Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23279 (GCVE-0-2021-23279)

    Vulnerability from cvelistv5 – Published: 2021-04-13 18:03 – Updated: 2024-09-16 17:18
    VLAI
    Title
    Arbitrary File delete
    Summary
    Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Intelligent Power manager (IPM) Affected: unspecified , < 1.69 (custom)
    Create a notification for this product.
    Date Public
    2021-04-01 00:00
    Credits
    Amir Preminger from Claroty research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.624Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Intelligent Power manager (IPM)",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Amir Preminger from Claroty research"
            }
          ],
          "datePublic": "2021-04-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-13T18:03:26.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "upgrade the software to latest version 1.69"
            }
          ],
          "source": {
            "advisory": "ETN-VA-2021-1000",
            "defect": [
              "ETN-VA-2021-1000"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary File delete",
          "workarounds": [
            {
              "lang": "en",
              "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "Improper Input validation",
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
              "ID": "CVE-2021-23279",
              "STATE": "PUBLIC",
              "TITLE": "Arbitrary File delete"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Intelligent Power manager (IPM)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Amir Preminger from Claroty research"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "upgrade the software to latest version 1.69"
              }
            ],
            "source": {
              "advisory": "ETN-VA-2021-1000",
              "defect": [
                "ETN-VA-2021-1000"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23279",
        "datePublished": "2021-04-13T18:03:26.395Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:18:54.414Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23276 (GCVE-0-2021-23276)

    Vulnerability from cvelistv5 – Published: 2021-04-13 18:03 – Updated: 2024-09-17 02:22
    VLAI
    Title
    Improper Neutralization of Special Elements used in an SQL Command
    Summary
    Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Intelligent Power manager (IPM) Affected: unspecified , < 1.69 (custom)
    Create a notification for this product.
    Date Public
    2021-04-01 00:00
    Credits
    Amir Preminger from Claroty research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:54.415Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Intelligent Power manager (IPM)",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Amir Preminger from Claroty research"
            }
          ],
          "datePublic": "2021-04-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-13T18:03:08.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "upgrade the software to latest version 1.69"
            }
          ],
          "source": {
            "advisory": "ETN-VA-2021-1000",
            "defect": [
              "ETN-VA-2021-1000"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Improper Neutralization of Special Elements used in an SQL Command",
          "workarounds": [
            {
              "lang": "en",
              "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "SQL Injection",
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
              "ID": "CVE-2021-23276",
              "STATE": "PUBLIC",
              "TITLE": "Improper Neutralization of Special Elements used in an SQL Command"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Intelligent Power manager (IPM)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Amir Preminger from Claroty research"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "upgrade the software to latest version 1.69"
              }
            ],
            "source": {
              "advisory": "ETN-VA-2021-1000",
              "defect": [
                "ETN-VA-2021-1000"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23276",
        "datePublished": "2021-04-13T18:03:08.524Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:22:03.243Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23278 (GCVE-0-2021-23278)

    Vulnerability from cvelistv5 – Published: 2021-04-13 18:02 – Updated: 2024-09-16 20:11
    VLAI
    Title
    Arbitrary File delete
    Summary
    Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Eaton Intelligent Power manager (IPM) Affected: unspecified , < 1.69 (custom)
    Create a notification for this product.
    Date Public
    2021-04-01 00:00
    Credits
    Amir Preminger from Claroty research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.635Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Intelligent Power manager (IPM)",
              "vendor": "Eaton",
              "versions": [
                {
                  "lessThan": "1.69",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Amir Preminger from Claroty research"
            }
          ],
          "datePublic": "2021-04-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-13T18:02:51.000Z",
            "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
            "shortName": "Eaton"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "upgrade the software to latest version 1.69"
            }
          ],
          "source": {
            "advisory": "ETN-VA-2021-1000",
            "defect": [
              "ETN-VA-2021-1000"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary File delete",
          "workarounds": [
            {
              "lang": "en",
              "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "Improper Input validation",
              "ASSIGNER": "CybersecurityCOE@eaton.com",
              "DATE_PUBLIC": "2021-04-01T07:00:00.000Z",
              "ID": "CVE-2021-23278",
              "STATE": "PUBLIC",
              "TITLE": "Arbitrary File delete"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Intelligent Power manager (IPM)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.69"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Eaton"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Amir Preminger from Claroty research"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf",
                  "refsource": "MISC",
                  "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "upgrade the software to latest version 1.69"
              }
            ],
            "source": {
              "advisory": "ETN-VA-2021-1000",
              "defect": [
                "ETN-VA-2021-1000"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 \u0026 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
        "assignerShortName": "Eaton",
        "cveId": "CVE-2021-23278",
        "datePublished": "2021-04-13T18:02:51.932Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2024-09-16T20:11:36.112Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }