122 matches found
Design/Logic Flaw
Eaton Intelligent Power Manager IPM prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can...
Sql injection
Eaton Intelligent Power Manager IPM prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base...
Privilege escalation
Eaton Intelligent Power Manager IPM prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s mapssrv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a speciall...
Input validation
Eaton Intelligent Power Manager IPM prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in metadriversrv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete...
CVE-2021-23280
Eaton IPM before 1.69 is affected by CVE-2021-23280, an authenticated arbitrary file upload in IPM’s maps_srv.js via the uploadBackgroud action. A malicious NodeJS file can be uploaded and later code/execution may be possible using specially crafted packets. The vulnerability affects IPM versions...
CVE-2021-23280 Arbitrary File upload
Eaton Intelligent Power Manager IPM prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s mapssrv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a speciall...
CVE-2021-23277 Improper Neutralization of Directives in Dynamically Evaluated Code
Eaton Intelligent Power Manager IPM prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can...
CVE-2021-23277
CVE-2021-23277 affects Eaton Intelligent Power Manager (IPM) versions prior to 1.69. The issue is an unauthenticated eval injection in the loadUserFile function (scripts/libs/utils.js) where user input is not neutralized before dynamic evaluation, enabling an attacker to influence input to the fu...
CVE-2021-23281
CVE-2021-23281 – Eaton IPM before 1.69 is an unauthenticated remote code execution vulnerability. The issue arises from inadequate sanitization in the meta_driver_srv.js class (coverterCheckList usage), allowing a crafted packet to trigger IPM to connect to a rogue SNMP server and execute attacke...
CVE-2021-23281 Remote Code execution
Eaton Intelligent Power Manager IPM prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in metadriversrv.js class. Attackers can send a specially crafted packet to make IPM connect to rou...
CVE-2021-23279
CVE-2021-23279 affects Eaton IPM prior to 1.69. The vulnerability is an unauthenticated arbitrary file delete caused by improper input validation in the meta_driver_srv.js class (saveDriverData) when using an invalidated driverID. An attacker could send crafted packets to delete files on the IPM ...
CVE-2021-23276 Improper Neutralization of Special Elements used in an SQL Command
Eaton Intelligent Power Manager IPM prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base...
CVE-2021-23276
CVE-2021-23276 affects Eaton Intelligent Power Manager (IPM) versions prior to 1.69. The EU/ICS/Nessus/NVD documents describe an authenticated SQL injection vulnerability that can allow an attacker to add users to the IPM database. The vulnerability is part of a family of IPM issues in 1.69 and e...
CVE-2021-23278
Eaton IPM before 1.69 is vulnerable to an authenticated arbitrary file-delete via improper input validation in maps_srv.js (removeBackground) and node_upgrade_srv.js (removeFirmware). An attacker with valid credentials can delete files on the IPM host. Remediation per linked advisories: upgrade t...
CVE-2021-23278 Arbitrary File delete
Eaton Intelligent Power Manager IPM prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/mapssrv.js with action removeBackground and server/nodeupgradesrv.js with action removeFirmware. An attacker can send specially...
Eaton Intelligent Power Manager Installed (Windows)
Binary data eatonipmwininstalled.nbin...
CVE-2020-6652
Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager IPM v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the...
Privilege escalation
Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager IPM v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the...
CVE-2020-6651
CVE-2020-6651 affects Eaton Intelligent Power Manager (IPM) versions 1.67 and earlier. The vulnerability is due to improper input validation on the configuration file import file name, which allows an attacker to trigger command injection or code execution via specially crafted file names during ...
CVE-2020-6651 Command injection via specially crafted file name during config file upload
Improper Input Validation in Eaton's Intelligent Power Manager IPM v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application...