CVE-2021-23277

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance:*:*:*:*:*:*:*:*
cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:51

Type Values Removed Values Added
References () https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf - Vendor Advisory () https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf - Vendor Advisory
CVSS v2 : 7.5
v3 : 10.0
v2 : 7.5
v3 : 8.3

26 Jun 2023, 19:20

Type Values Removed Values Added
CWE NVD-CWE-Other CWE-94

Information

Published : 2021-04-13 19:15

Updated : 2024-11-21 05:51


NVD link : CVE-2021-23277

Mitre link : CVE-2021-23277

CVE.ORG link : CVE-2021-23277


JSON object : View

Products Affected

eaton

  • intelligent_power_protector
  • intelligent_power_manager
  • intelligent_power_manager_virtual_appliance
CWE
CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')