CVE-2021-23277

EVAL INJECTION CWE-95
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to an unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in the “loadUserFile” function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker-controlled commands.

Risk Information

  • CVE ID
  • CVE-2021-23277
  • Vendor
  • Eaton
  • Product
  • Eaton Intelligent Power Manager
  • CVSS v3
  • 8.3