CVE-2021-23278 HIGH

CVE-2021-23278: Arbitrary File delete

Vendor Eaton
Product Intelligent Power manager (IPM)
Weakness CWE-20 · Input validation
Published April 13, 2021
Last update September 16, 2024

CVSS base score

8.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

What the vulnerability does

01Description

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.

Key dates

02Disclosure timeline

April 13, 2021 CVE published
September 16, 2024 Record updated