CVE-2021-23277

Improper Neutralization of Directives in Dynamically Evaluated Code

Description

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.

Remediation

Solution:

upgrade the software to latest version 1.69

Workaround:

To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 & 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used

References

Link	Tags
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-23277?: CVE-2021-23277 has been scored as a high severity vulnerability.
How to fix CVE-2021-23277?: To fix CVE-2021-23277: upgrade the software to latest version 1.69
Is CVE-2021-23277 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-23277 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-23277?: CVE-2021-23277 affects Eaton Intelligent Power manager (IPM).

Description

Remediation

Categories

CWE-95 – Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-94 – Improper Control of Generation of Code ('Code Injection')

References

Frequently Asked Questions