Vulnerability CVE-2020-6651

Vulnerability CVE-2020-6651

Published: 2020-05-07

Description:

Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application.

Type:

CWE-78

(Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') )

CVSS2 => (AV:N/AC:M/Au:S/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
6/10	6.4/10	6.8/10

Exploit range	Attack complexity	Authentication
Remote	Medium	Single time
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
Eaton -> Intelligent power manager

References:

https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf

https://www.zerodayinitiative.com/advisories/ZDI-20-649/

Vulnerability CVE-2020-6651

Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application.

CWE-78

CVSS2 => (AV:N/AC:M/Au:S/C:P/I:P/A:P)

6/10

6.4/10

6.8/10

Remote

Medium

Single time

Partial

Partial

Partial

Affected software

References: