Command injection via specially crafted file name during config file upload
CVE-2020-6651

8.8HIGH

Key Information:

Vendor
Eaton
Status
Intelligent Power Manager (ipm)
Vendor
CVE Published:
4 May 2020

Summary

Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application.

Affected Version(s)

Intelligent Power manager (IPM) <= 1.67

References

https://www.eaton.com/content/dam/eaton/company/news-insi...
x_refsource_MISC
https://www.zerodayinitiative.com/advisories/ZDI-20-649/
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Eaton would like to thank Sivathmican Sivakumaran for working with Eaton and helping Eaton in releasing more robust and secure products.
.
CVE-2020-6651 : Command injection via specially crafted file name during config file upload | SecurityVulnerability.io