CVE-2021-23277 Vulnerability Details

  /     /     /  

CVE-2021-23277 Metadata Quick Info

CVE Published: 13/04/2021 | CVE Updated: 16/09/2024 | CVE Year: 2021
Source: Eaton | Vendor: Eaton | Product: Intelligent Power manager (IPM)
Status : PUBLISHED

---

CVE-2021-23277 Description

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.

Metrics

CVSS Version: 3.1 | Base Score: 8.3 HIGH
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* ADJACENT_NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* NONE
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-95
CWE Name: CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ( Eval Injection )
Source: Eaton

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).