Cross-Site Request Forgery and Scripting Vulnerabilities in Eaton UPS 9PX 8000 SP Devices
CVE-2018-9281

8.8HIGH

Key Information:

Vendor
Eaton
Status
9px Ups Firmware
Vendor
CVE Published:
24 October 2018

Summary

Eaton UPS 9PX 8000 SP devices contain vulnerabilities that allow an attacker to exploit CSRF flaws in the administration panel. Specifically, the change-password functionality can be manipulated, enabling an attacker to force a legitimate administrator to execute a silent password update without their consent. Additionally, the forms within the administration panel are vulnerable to Reflected Cross-Site Scripting (XSS) attacks. Malicious actors can craft a deceptive web page that, when visited by the logged-in administrator, triggers the execution of unwanted scripts, potentially allowing unauthorized actions and access to sensitive functionalities within the device.

References

https://www.bishopfox.com/news/2018/10/eaton-ups-9px-8000...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-9281 : Cross-Site Request Forgery and Scripting Vulnerabilities in Eaton UPS 9PX 8000 SP Devices | SecurityVulnerability.io