This repository details CVE-2020-6650, a vulnerability I discovered within Eaton's UPS Companion. All users should upgrade to v1.06 immediately or else they risk remote administrator access to their system.
Overview The Eaton UPS Companion software checks for an update every single week over an insecure HTTP connection and eval()s the content of whatever is at the update URL This allows an attacker to craft a JavaScript function which uses the low-level OS operations that already exist in the backend software, like file execution, network sockets, and filesystem I/O All of these