Platform
other
Component
eaton-intelligent-power-manager-infrastructure
Fixed in
1.5.1
A reflected Cross-Site Scripting (XSS) vulnerability exists in Eaton Intelligent Power Manager Infrastructure versions up to and including 1.5.0plus205. This flaw allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking or data theft. The vulnerability was published on April 18, 2022, and a fix is available through an upgrade to a patched version.
The reflected XSS vulnerability in Eaton Intelligent Power Manager Infrastructure allows an attacker to inject arbitrary JavaScript code into a user's browser. This can be achieved by crafting a malicious URL containing the XSS payload, which is then executed when the user visits the URL. Successful exploitation could result in an attacker stealing session cookies, redirecting users to phishing sites, or defacing the web interface. The impact is primarily focused on user accounts with access to the IPM Infrastructure web interface, potentially compromising sensitive power management data and control.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low probability of immediate widespread exploitation. However, the ease of exploitation inherent in reflected XSS vulnerabilities means it remains a potential risk, particularly if the IPM Infrastructure is exposed to untrusted networks.
Exploit Status
EPSS
0.22% (45% percentile)
CVSS Vector
The primary mitigation for CVE-2021-23285 is to upgrade Eaton Intelligent Power Manager Infrastructure to a version that includes the security fix. Since a specific fixed version isn't provided, consult Eaton's support channels for the latest release. As a temporary workaround, implement strict input validation and output encoding on all user-supplied data within the IPM Infrastructure web interface. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update security policies to prevent similar vulnerabilities.
Actualice Eaton Intelligent Power Manager Infrastructure a una versión posterior a 1.5.0plus205. Consulte el boletín de seguridad de Eaton para obtener más detalles e instrucciones específicas de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-23285 is a reflected Cross-Site Scripting (XSS) vulnerability affecting Eaton Intelligent Power Manager Infrastructure versions up to 1.5.0plus205, allowing attackers to inject malicious scripts.
If you are using Eaton Intelligent Power Manager Infrastructure version 1.5.0plus205 or earlier, you are potentially affected by this vulnerability.
Upgrade to the latest available version of Eaton Intelligent Power Manager Infrastructure. Consult Eaton's support channels for the patched version.
While no widespread exploitation has been confirmed, the ease of exploitation means it remains a potential risk.
Refer to Eaton's security advisory page for the latest information and updates regarding CVE-2021-23285.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.