{"api_version":"1","generated_at":"2026-04-23T04:12:09+00:00","cve":"CVE-2021-23288","urls":{"html":"https://cve.report/CVE-2021-23288","api":"https://cve.report/api/cve/CVE-2021-23288.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-23288","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-23288"},"summary":{"title":"CVE-2021-23288","description":"The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69.","state":"PUBLIC","assigner":"CybersecurityCOE@eaton.com","published_at":"2022-04-01 23:15:00","updated_at":"2022-04-09 00:40:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf","name":"https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf","refsource":"MISC","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-23288","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23288","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - • CVE-2021-23288 – Andreas Finstad and Arthur Donkers","lang":""}],"nvd_cpes":[{"cve_year":"2021","cve_id":"23288","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"eaton","cpe5":"intelligent_power_protector","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"CybersecurityCOE@eaton.com","DATE_PUBLIC":"2022-02-08T11:20:00.000Z","ID":"CVE-2021-23288","STATE":"PUBLIC","TITLE":"Security issues in Intelligent Power Protector"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Intelligent Power Protector","version":{"version_data":[{"version_affected":"<","version_value":"1.69"}]}}]},"vendor_name":"Eaton"}]}},"credit":[{"lang":"eng","value":"Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - • CVE-2021-23288 – Andreas Finstad and Arthur Donkers"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":5.6,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-79 Cross-site Scripting (XSS)"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf","name":"https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Protector-Vulnerability-Advisory_1002b_V1.0.pdf"}]},"solution":[{"lang":"eng","value":"Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location: -\nEaton IPM v1.69 – https://www.eaton.com/us/en-us/catalog/backup-power-ups-surge-it-power-distribution/eaton-intelligent-power-protector.resources.html"}],"source":{"advisory":"ETN-VA-2021-1002b","discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2022-04-01 23:15:00","lastModifiedDate":"2022-04-09 00:40:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.7,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:A/AC:M/Au:S/C:N/I:P/A:N","accessVector":"ADJACENT_NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":2.3},"severity":"LOW","exploitabilityScore":4.4,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*","versionEndExcluding":"1.69","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"23288","Ordinal":"198015","Title":"CVE-2021-23288","CVE":"CVE-2021-23288","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"23288","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}