Eaton Vulnerability Advisory ETN-VA-2021-1001a: Security issue in Intelligent Power Manager (IPM v1) Date: 02/07/2022 Overall Risk: Medium CVSS v3.1: 5.2 --- Overview Eaton has been made aware of security vulnerabilities in its Intelligent Power Manager (IPM v1) software. Eaton's Intelligent Power Manager (IPM) software provides the tools needed to monitor and manage power devices in a physical or virtual environment. IPM provides a solution that is easy to use and maintains business continuity. --- Vulnerability Details CVE-2024-11594 Description: Stored Cross-site Scripting reported in Intelligent Power Manager (IPM v1): CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/CR:L/IR:L/AR:H/MAV:A/MAC:H/MPR:H CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Impact: Eaton Intelligent Power Manager (IPM) prior to 1.70 is vulnerable to stored Cross site scripting. The vulnerability exists due to insufficient validation of input from certain resources by the IPM software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. --- Affected Product(s) and Version(s) Here is the list of affected products: Eaton Intelligent Power Manager (IPM) – all versions prior to 1.70 --- Remediation & Mitigation Remediation: Eaton has patched these security issues and an updated version of the IPM v1 software has been released. The latest version (V1.70) can be downloaded from below location: Eaton IPM v1.70 – Download Mitigation: Eaton recommends the users to follow the Security best practices and configure the logical access mechanisms provided in IPM to safeguard the application from unauthorized access. IPM provides various types of administrative, operational, configuration privilege levels. Use the available access