CVE-2020-6651

{"id": "CVE-2020-6651", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.3}, {"type": "Secondary", "source": "CybersecurityCOE@eaton.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2020-05-07T16:15:11.313", "references": [{"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf", "tags": ["Mitigation", "Vendor Advisory"], "source": "CybersecurityCOE@eaton.com"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-649/", "source": "CybersecurityCOE@eaton.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-78"}]}, {"type": "Secondary", "source": "CybersecurityCOE@eaton.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application."}, {"lang": "es", "value": "La Comprobaci\u00f3n de Entrada Inapropiada en Eaton Intelligent Power Manager (IPM) versiones v1.67 y anteriores, en el nombre del archivo durante la funcionalidad de importaci\u00f3n del archivo de configuraci\u00f3n permite a atacantes realizar la inyecci\u00f3n de comandos o la ejecuci\u00f3n del c\u00f3digo por medio de nombres de archivo especialmente dise\u00f1ados mientras se carga el archivo de configuraci\u00f3n en la aplicaci\u00f3n."}], "lastModified": "2020-05-12T22:15:12.547", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E94000EF-A58E-4E02-93B2-2FA18D6DD0E6", "versionEndIncluding": "1.67"}], "operator": "OR"}]}], "sourceIdentifier": "CybersecurityCOE@eaton.com"}