Published: 23/03/2020 Updated: 27/03/2020

CVSS v2 Base Score: 5.8 | Impact Score: 6.4 | Exploitability Score: 6.5

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 516

Vector: AV:A/AC:L/Au:N/C:P/I:P/A:P

UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed.

Vulnerable Product	Search on Vulmon	Subscribe to Product
eaton ups companion

This repository details CVE-2020-6650, a vulnerability I discovered within Eaton's UPS Companion. All users should upgrade to v1.06 immediately or else they risk remote administrator access to their system.

Overview The Eaton UPS Companion software checks for an update every single week over an insecure HTTP connection and eval()s the content of whatever is at the update URL This allows an attacker to craft a JavaScript function which uses the low-level OS operations that already exist in the backend software, like file execution, network sockets, and filesystem I/O All of these

CWE-94 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-UPS-companion-software.pdf https://nvd.nist.gov https://github.com/RavSS/Eaton-UPS-Companion-Exploit

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2020-6650

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect