CVE-2008-6816

Eaton MGEOPS Network Shutdown Module before 3.10 Build 13 allows remote attackers to execute arbitrary code by adding a custom action to the MGE frontend via pane_actionbutton.php, and then executing this action via exec_action.php.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Network_shutdown_module	Eaton	*	3.1_beta (including)
Network_shutdown_module	Eaton	2.6 (including)	2.6 (including)
Network_shutdown_module	Eaton	3.0 (including)	3.0 (including)
Network_shutdown_module	Eaton	3.02 (including)	3.02 (including)
Network_shutdown_module	Eaton	3.04 (including)	3.04 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

http://download.mgeops.com/install/win32/nsm/release_note_nsm_320.txt
http://osvdb.org/50051
http://secunia.com/advisories/32456
http://www.nruns.com/security_advisory_eaton_mge_ops_network_shutdown_module_authentication_bypass.php
http://www.securityfocus.com/archive/1/497824/100/100/threaded
http://www.securityfocus.com/bid/31933
https://exchange.xforce.ibmcloud.com/vulnerabilities/46131

NVD	https://nvd.nist.gov/vuln/detail/CVE-2008-6816
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References