CVE-2021-23277
Summary
| CVE | CVE-2021-23277 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-04-13 19:15:00 UTC |
| Updated | 2023-06-26 19:20:00 UTC |
| Description | Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands. |
Risk And Classification
Problem Types: CWE-94
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Eaton | Intelligent Power Manager | All | All | All | All |
| Application | Eaton | Intelligent Power Manager Virtual Appliance | All | All | All | All |
| Application | Eaton | Intelligent Power Protector | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/securit... | MISC | www.eaton.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Amir Preminger from Claroty research
There are currently no legacy QID mappings associated with this CVE.