CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-23276 – Improper Neutralization of Special Elements used in an SQL Command
https://notcve.org/view.php?id=CVE-2021-23276
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base. Eaton Intelligent Power Manager (IPM) versiones anteriores a 1.69, es vulnerable a una inyección de SQL autenticado. Un usuario malicioso puede enviar un paquete especialmente diseñado para explotar la vulnerabilidad. • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.6EPSS: 0%CPEs: 3EXPL: 0CVE-2021-23278 – Arbitrary File delete
https://notcve.org/view.php?id=CVE-2021-23278
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed. Eaton Intelligent Power Manager (IPM) versiones anteriores a 1.69, es susceptible a una vulnerabilidad de eliminación de archivos arbitrarios autenticados inducida debido a una comprobación inapropiada de entrada en el archivo server/maps_srv.js con la acción removeBackground y en el archivo server/node_upgrade_srv.js con la acción removeFirmware. Un atacante puede enviar paquetes especialmente diseñados para eliminar los archivos del sistema donde está instalado el software IPM • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-6656 – File parsing Type Confusion Remote code execution vulerability
https://notcve.org/view.php?id=CVE-2020-6656
Eaton's easySoft software v7.xx prior to v7.22 are susceptible to file parsing type confusion remote code execution vulnerability. A malicious entity can execute a malicious code or make the application crash by tricking user upload a malformed .E70 file in the application. The vulnerability arises due to improper validation of user data supplied through E70 file which is causing Type Confusion. El software easySoft de Eaton versiones v7.xx y anteriores a la v7.22 es susceptible a la vulnerabilidad de ejecución remota de código por confusión de tipo de archivo. Una entidad maliciosa puede ejecutar un código malicioso o hacer que la aplicación se bloquee engañando al usuario para que cargue un archivo .E70 malformado en la aplicación. • https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/easySoft-eaton-vulnerability-advisory.pdf https://www.zerodayinitiative.com/advisories/ZDI-20-1441 https://www.zerodayinitiative.com/advisories/ZDI-20-1442 https://www.zerodayinitiative.com/advisories/ZDI-20-1444 • CWE-20: Improper Input Validation CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2020-6655 – File parsing Out-Of-Bounds read remote code execution
https://notcve.org/view.php?id=CVE-2020-6655
The Eaton's easySoft software v7.xx prior to v7.22 are susceptible to Out-of-bounds remote code execution vulnerability. A malicious entity can execute a malicious code or make the application crash by tricking user to upload the malformed .E70 file in the application. The vulnerability arises due to improper validation and parsing of the E70 file content by the application. El software easySoft de Eaton versión v7.xx y anterior a la v7.22 es susceptible a la vulnerabilidad de ejecución remota de código fuera de límites. Una entidad maliciosa puede ejecutar un código malicioso o hacer que la aplicación se bloquee engañando al usuario para que cargue el archivo .E70 malformado en la aplicación. • https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/easySoft-eaton-vulnerability-advisory.pdf https://www.zerodayinitiative.com/advisories/ZDI-20-1443 • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-6654 – DLL Hijacking
https://notcve.org/view.php?id=CVE-2020-6654
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL. Una vulnerabilidad de secuestro de DLL en 9000x Programming and Configuration Software de Eaton v 2.0.38 y anteriores, permite a un atacante ejecutar código arbitrario al reemplazar las DLL requeridas por DLL maliciosas cuando el software intenta cargar vci11un6.DLL y cinpl.DLL • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/9000x-software-eaton-vulnerability-advisory.pdf • CWE-426: Untrusted Search Path CWE-427: Uncontrolled Search Path Element •