Vulnerabilities > CVE-2020-6656 - Type Confusion vulnerability in Eaton Easysoft

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

eaton

CWE-843

NVD

Published: 2021-01-07

Updated: 2024-11-21

Summary

Eaton's easySoft software v7.xx prior to v7.22 are susceptible to file parsing type confusion remote code execution vulnerability. A malicious entity can execute a malicious code or make the application crash by tricking user upload a malformed .E70 file in the application. The vulnerability arises due to improper validation of user data supplied through E70 file which is causing Type Confusion.

Vulnerable Configurations

Part	Description	Count
Application	Eaton Eaton Easysoft 7.00 Eaton Easysoft 7.01 Eaton Easysoft 7.3 Eaton Easysoft 7.10 Eaton Easysoft 7.11	5

Common Weakness Enumeration (CWE)

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

References

https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03
https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/easySoft-eaton-vulnerability-advisory.pdf
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/easySoft-eaton-vulnerability-advisory.pdf
https://www.zerodayinitiative.com/advisories/ZDI-20-1441/
https://www.zerodayinitiative.com/advisories/ZDI-20-1441/
https://www.zerodayinitiative.com/advisories/ZDI-20-1442/
https://www.zerodayinitiative.com/advisories/ZDI-20-1442/
https://www.zerodayinitiative.com/advisories/ZDI-20-1444/
https://www.zerodayinitiative.com/advisories/ZDI-20-1444/