CVE-2021-23286
published 2022-04-18CVE-2021-23286: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to CSV Formula Injection. This…
PriorityP337high8CVSS 3.1
AVAACLPRNUIRSUCHIHAH
EPSS
0.40%
32.0th percentile
Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to CSV Formula Injection. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eaton | intelligent_power_manager | <= 1.5.0plus205 | — |
| eaton | intelligent_power_manager_infrastructure | all – 1.5.0plus205 | — |
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.9HIGHAV:A/AC:M/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Eaton Intelligent Power Manager Infrastructure
cisa_ics·2022-05-10·CVSS 5.7
[MEDIUM] Eaton Intelligent Power Manager Infrastructure
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Eaton Intelligent Power Manager Infrastructure
Last RevisedMay 10, 2022
Alert CodeICSA-22-130-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 5.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Eaton
- Equipment: Intelligent Power Manager Infrastructure
- Vulnerabilities: Cross-site Scripting, Reflected Cross-site Scripting, Improper Neutralization of Formula in a CSV File
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code using untrusted data.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
T
GHSA
GHSA-7pmh-g9pc-h622: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1
ghsa_unreviewed·2022-04-19
CVE-2021-23286 [HIGH] CWE-1236 GHSA-7pmh-g9pc-h622: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1
Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to CSV Formula Injection. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Manager-%28IPM%29-Infrastructure-Vulnerability-Advisory_1001c_V1.0.pdfhttps://www.eaton.com/content/dam/eaton/products/backup-power-ups-surge-it-power-distribution/power-management-software-connectivity/eaton-intelligent-power-manager/software/ipm-understand-edition-emea/eaton-ipminfra-eolmemo-en-us.pdf.https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Manager-%28IPM%29-Infrastructure-Vulnerability-Advisory_1001c_V1.0.pdfhttps://www.eaton.com/content/dam/eaton/products/backup-power-ups-surge-it-power-distribution/power-management-software-connectivity/eaton-intelligent-power-manager/software/ipm-understand-edition-emea/eaton-ipminfra-eolmemo-en-us.pdf.
2022-04-18
Published