CVE-2021-23277

Summary

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.

Affected Software

VendorProductVersion RangeStatus
EatonIntelligent Power manager (IPM)unspecified < 1.69affected

Weaknesses

  • CWE-95: CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Workarounds

To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 & 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used

ADP Enrichment

CVE Program Container

Additional References

References