CVE-2020-6650 HIGH

CVE-2020-6650: Arbitrary code execution through “Update Manager” Class

Vendor Eaton
Product UPS Companion Software
Weakness CWE-95 · Eval injection
Published March 23, 2020
Last update September 16, 2024

CVSS base score

8.3/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed.

Key dates

02Disclosure timeline

March 23, 2020 CVE published
September 16, 2024 Record updated