CVE-2021-23277
published 2021-04-13CVE-2021-23277: Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax…
PriorityP260critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.96%
57.2th percentile
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eaton | intelligent_power_manager | < 1.69 | 1.69 |
| eaton | intelligent_power_manager | >= unspecified < 1.69 | 1.69 |
| eaton | intelligent_power_manager_virtual_appliance | < 1.69 | 1.69 |
| eaton | intelligent_power_protector | < 1.68 | 1.68 |
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qcjf-2v2g-8464: Eaton Intelligent Power Manager (IPM) prior to 1
ghsa_unreviewed·2022-05-24
CVE-2021-23277 [CRITICAL] CWE-94 GHSA-qcjf-2v2g-8464: Eaton Intelligent Power Manager (IPM) prior to 1
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.
CISA ICS
Eaton Intelligent Power Manager
cisa_ics·2021-04-20·CVSS 7.1
[HIGH] Eaton Intelligent Power Manager
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Eaton Intelligent Power Manager
Last RevisedApril 20, 2021
Alert CodeICSA-21-110-06
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Eaton
- Equipment: Intelligent Power Manager (IPM)
- Vulnerabilities: SQL Injection, Eval Injection, Improper Input Validation, Unrestricted Upload of File with Dangerous Type, Code Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to change certain settings, upload code, delete files, or execute commands.
## 3. TECHNICAL DETAILS
## 3
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdfhttps://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf
2021-04-13
Published