Eval Injection in Eaton products - CVE-2021-23277

 

Eval Injection in Eaton products - CVE-2021-23277

Published: April 21, 2021


Vulnerability identifier: #VU52451
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-23277
CWE-ID: CWE-95
Exploitation vector: Adjecent network
Exploit availability: No public exploit available
Vendor: Eaton
Affected software:
Intelligent Power Manager
Intelligent Power Manager Virtual Appliance
Intelligent Power Protector

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to the affected software does not neutralize code syntax from users before using in the dynamic evaluation call in the "loadUserFile" function under scripts/libs/utils.js. A remote attacker on the local network can control the input to the function and execute attacker-controlled commands.


How to mitigate CVE-2021-23277

Install update from vendor's website.

Sources