CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23281 – Remote Code execution
https://notcve.org/view.php?id=CVE-2021-23281
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to rouge SNMP server and execute attacker-controlled code. Eaton Intelligent Power Manager (IPM) versiones anteriores a 1.69, es susceptible a una vulnerabilidad de ejecución de código remota no autenticada. El software IPM no sanea la fecha proporcionada por medio de la acción coverterCheckList en la clase meta_driver_srv.js. • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2021-23279 – Arbitrary File delete
https://notcve.org/view.php?id=CVE-2021-23279
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed. Eaton Intelligent Power Manager (IPM) versiones anteriores a 1.69, es susceptible a una vulnerabilidad de eliminación de archivos arbitrarios no autenticados inducida debido a una comprobación inapropiada de entrada en la clase meta_driver_srv.js con la acción saveDriverData utilizando un driverID no válido. Un atacante puede enviar paquetes especialmente diseñados para eliminar los archivos del sistema donde está instalado el software IPM • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-23276 – Improper Neutralization of Special Elements used in an SQL Command
https://notcve.org/view.php?id=CVE-2021-23276
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base. Eaton Intelligent Power Manager (IPM) versiones anteriores a 1.69, es vulnerable a una inyección de SQL autenticado. Un usuario malicioso puede enviar un paquete especialmente diseñado para explotar la vulnerabilidad. • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.6EPSS: 0%CPEs: 3EXPL: 0CVE-2021-23278 – Arbitrary File delete
https://notcve.org/view.php?id=CVE-2021-23278
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed. Eaton Intelligent Power Manager (IPM) versiones anteriores a 1.69, es susceptible a una vulnerabilidad de eliminación de archivos arbitrarios autenticados inducida debido a una comprobación inapropiada de entrada en el archivo server/maps_srv.js con la acción removeBackground y en el archivo server/node_upgrade_srv.js con la acción removeFirmware. Un atacante puede enviar paquetes especialmente diseñados para eliminar los archivos del sistema donde está instalado el software IPM • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-6656 – File parsing Type Confusion Remote code execution vulerability
https://notcve.org/view.php?id=CVE-2020-6656
Eaton's easySoft software v7.xx prior to v7.22 are susceptible to file parsing type confusion remote code execution vulnerability. A malicious entity can execute a malicious code or make the application crash by tricking user upload a malformed .E70 file in the application. The vulnerability arises due to improper validation of user data supplied through E70 file which is causing Type Confusion. El software easySoft de Eaton versiones v7.xx y anteriores a la v7.22 es susceptible a la vulnerabilidad de ejecución remota de código por confusión de tipo de archivo. Una entidad maliciosa puede ejecutar un código malicioso o hacer que la aplicación se bloquee engañando al usuario para que cargue un archivo .E70 malformado en la aplicación. • https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/easySoft-eaton-vulnerability-advisory.pdf https://www.zerodayinitiative.com/advisories/ZDI-20-1441 https://www.zerodayinitiative.com/advisories/ZDI-20-1442 https://www.zerodayinitiative.com/advisories/ZDI-20-1444 • CWE-20: Improper Input Validation CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •