CVE-2020-6652
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager (IPM) v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the configurations with incorrect parameters.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Eaton | Intelligent Power manager (IPM) | unspecified <= 1.67 | affected |
Weaknesses
- CWE-266: CWE-266 Incorrect Privilege Assignment
Workarounds
Remove users which are not part of the origination and having accounts in the software. Block port 4679 & 4680 at enterprise network firewall to prevent malicious users from accessing the software outside the facility.
ADP Enrichment
CVE Program Container
Additional References
- https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf
- https://www.zerodayinitiative.com/advisories/ZDI-20-650/
References
- https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf
- https://www.zerodayinitiative.com/advisories/ZDI-20-650/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.