CVE-2021-23277

Name of the Vulnerable Software and Affected Versions Eaton Intelligent Power Manager (IPM) versions prior to 1.69

Description The issue concerns an unauthenticated eval injection vulnerability. It arises because the software fails to neutralize code syntax from users before using it in the dynamic evaluation call in the loadUserFile function under scripts/libs/utils.js. This allows attackers to control the input to the function and execute attacker-controlled commands.

Recommendations For versions prior to 1.69, update to version 1.69 or later to resolve the issue. As a temporary workaround, consider restricting access to the loadUserFile function under scripts/libs/utils.js to minimize the risk of exploitation.