Main Vulnerability Database Vulnerabilities #VU52451

Eval Injection in Eaton products - CVE-2021-23277

Published: April 21, 2021

Vulnerability identifier: #VU52451

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-23277

CWE-ID: CWE-95

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vulnerable software:
Intelligent Power Manager
Intelligent Power Manager Virtual Appliance
Intelligent Power Protector

Software vendor:
Eaton

Description

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to the affected software does not neutralize code syntax from users before using in the dynamic evaluation call in the "loadUserFile" function under scripts/libs/utils.js. A remote attacker on the local network can control the input to the function and execute attacker-controlled commands.

Remediation

Install update from vendor's website.

External links

https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf

Eval Injection in Eaton products - CVE-2021-23277

Description

Remediation

External links

Please verify you're human