Incorrect privilege assignment allowing non-admin users to upload config files
CVE-2020-6652

7.8HIGH

Key Information:

Vendor
Eaton
Status
Intelligent Power Manager (ipm)
Vendor
CVE Published:
4 May 2020

Summary

Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager (IPM) v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the configurations with incorrect parameters.

Affected Version(s)

Intelligent Power manager (IPM) <= 1.67

References

https://www.eaton.com/content/dam/eaton/company/news-insi...
x_refsource_MISC
https://www.zerodayinitiative.com/advisories/ZDI-20-650/
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Eaton would like to thank Sivathmican Sivakumaran for working with Eaton and helping Eaton in releasing more robust and secure products.
.
CVE-2020-6652 : Incorrect privilege assignment allowing non-admin users to upload config files | SecurityVulnerability.io