CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23285 – Security issues in Eaton Intelligent Power Manager Infrastructure
https://notcve.org/view.php?id=CVE-2021-23285
Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to reflected Cross-site Scripting vulnerability. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions. Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) versión 1.5.0plus205 y todas las versiones anteriores, son susceptibles a una vulnerabilidad de tipo Cross-Site Scripting Reflejado. Este problema afecta: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) todas las versiones 1.5.0plus205 y versiones anteriores • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Manager-%28IPM%29-Infrastructure-Vulnerability-Advisory_1001c_V1.0.pdf https://www.eaton.com/content/dam/eaton/products/backup-power-ups-surge-it-power-distribution/power-management-software-connectivity/eaton-intelligent-power-manager/software/ipm-understand-edition-emea/eaton-ipminfra-eolmemo-en-us.pdf. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23288 – Security issues in Intelligent Power Protector
https://notcve.org/view.php?id=CVE-2021-23288
The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69. La vulnerabilidad se presenta debido a una insuficiente comprobación de la entrada de determinados recursos por parte del software IPP. El atacante necesitaría acceso a la subred local y una interacción de administrador para comprometer el sistema. • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23287 – Security issues in Intelligent Power Manager (IPM 1)
https://notcve.org/view.php?id=CVE-2021-23287
The vulnerability exists due to insufficient validation of input of certain resources within the IPM software. This issue affects: Intelligent Power Manager (IPM 1) versions prior to 1.70. La vulnerabilidad se presenta debido a que no es comprobado suficientemente la entrada de determinados recursos en el software IPM. Este problema afecta a: Intelligent Power Manager (IPM 1) versiones anteriores a 1.70 • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Manager-Vulnerability-Advisory_1002a_V1.0.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 0CVE-2021-23280 – Arbitrary File upload
https://notcve.org/view.php?id=CVE-2021-23280
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability. Eaton Intelligent Power Manager (IPM) versiones anteriores a 1.69, es susceptible a una vulnerabilidad de carga de archivos arbitraria autenticada. El archivo Maps_srv.js de IPM permite a un atacante cargar un archivo NodeJS malicioso usando la acción uploadBackgroud. • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 1%CPEs: 3EXPL: 0CVE-2021-23277 – Improper Neutralization of Directives in Dynamically Evaluated Code
https://notcve.org/view.php?id=CVE-2021-23277
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands. Eaton Intelligent Power Manager (IPM) versiones anteriores a 1.69, es susceptible a una vulnerabilidad de inyección de evaluación no autenticada. El software no neutraliza el código syntax de los usuarios antes de usarlo en la llamada de evaluación dinámica en la función loadUserFile en el archivo scripts/libs/utils.js. • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •