CVE-2020-6651
published 2020-05-07CVE-2020-6651: Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows…
PriorityP339high7.3CVSS 3.1
AVLACLPRLUIRSUCHIHAH
EPSS
2.15%
79.8th percentile
Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eaton | intelligent_power_manager | <= 1.67 | — |
| eaton | intelligent_power_manager | unspecified – 1.67 | — |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h5vj-g7qc-m75w: Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1
ghsa_unreviewed·2022-05-24
CVE-2020-6651 [MEDIUM] GHSA-h5vj-g7qc-m75w: Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1
Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application.
CISA ICS
Eaton Intelligent Power Manager
cisa_ics·2020-05-12·CVSS 8.8
[HIGH] Eaton Intelligent Power Manager
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Eaton Intelligent Power Manager
Last RevisedMay 12, 2020
Alert CodeICSA-20-133-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Eaton
- Equipment: Intelligent Power Manager
- Vulnerabilities: Improper Input Validation, Incorrect Privilege Assignment
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to perform command injection or code execution and allow non-administrator users to manipulate the system configurations.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCT
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdfhttps://www.zerodayinitiative.com/advisories/ZDI-20-649/https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdfhttps://www.zerodayinitiative.com/advisories/ZDI-20-649/
2020-05-07
Published