CVE-2021-23283 - OpenCVE

Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Eaton	Intelligent Power Protector

Configuration 1 [-]

cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Eaton

Published: 2022-03-01T00:00:00

Updated: 2022-04-19T20:26:41

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23283

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-04-19T21:15:12.623

Modified: 2022-04-27T18:28:14.050

Link: CVE-2021-23283

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "Eaton Intelligent Power Protector (IPP)", "vendor": "Eaton", "versions": [{"lessThan": "1.69 release 166", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert"}], "datePublic": "2022-03-01T00:00:00", "descriptions": [{"lang": "en", "value": "Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T20:26:41", "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "shortName": "Eaton"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"}], "solutions": [{"lang": "en", "value": "Eaton has patched the security issue and new version of the affected software has been released. The latest version can be downloaded from below location: - Eaton IPP v1.69 https://www.eaton.com/us/en-us/products/backup-power-ups-surge-it-power-distribution/software-downloads.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Security issues in Eaton Intelligent Power Protector (IPP)", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "CybersecurityCOE@eaton.com", "DATE_PUBLIC": "2022-03-01T02:10:00.000Z", "ID": "CVE-2021-23283", "STATE": "PUBLIC", "TITLE": "Security issues in Eaton Intelligent Power Protector (IPP)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Eaton Intelligent Power Protector (IPP)", "version": {"version_data": [{"version_affected": "<", "version_value": "1.69 release 166"}]}}]}, "vendor_name": "Eaton"}]}}, "credit": [{"lang": "eng", "value": "Eaton thanks the below organization and individuals for their coordinated support on the security vulnerability: CVE-2021-23283 - Micheal Heinzl via ICS-Cert"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf", "refsource": "MISC", "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"}]}, "solution": [{"lang": "en", "value": "Eaton has patched the security issue and new version of the affected software has been released. The latest version can be downloaded from below location: - Eaton IPP v1.69 https://www.eaton.com/us/en-us/products/backup-power-ups-surge-it-power-distribution/software-downloads.html"}], "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "assignerShortName": "Eaton", "cveId": "CVE-2021-23283", "datePublished": "2022-03-01T00:00:00", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2022-04-19T20:26:41", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8187D4D-7A38-47E5-A527-9E31527708DA", "versionEndExcluding": "1.69", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software."}, {"lang": "es", "value": "Eaton Intelligent Power Protector (IPP) versiones anteriores a 1.69 es vulnerable al Cross Site Scripting almacenado. La vulnerabilidad es presentada debido a una insuficiente comprobaci\u00f3n de la entrada del usuario y a una codificaci\u00f3n inapropiada de la salida de determinados recursos dentro del software IPP"}], "id": "CVE-2021-23283", "lastModified": "2022-04-27T18:28:14.050", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 4.2, "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}]}, "published": "2022-04-19T21:15:12.623", "references": [{"source": "CybersecurityCOE@eaton.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1001b_V1.0.pdf"}], "sourceIdentifier": "CybersecurityCOE@eaton.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}]}