CVE-2021-23278

Name of the Vulnerable Software and Affected Versions Eaton Intelligent Power Manager (IPM) versions prior to 1.69

Description The issue is related to improper input validation, allowing an authenticated arbitrary file delete vulnerability. This vulnerability can be exploited by sending specially crafted packets to delete files on the system where the IPM software is installed. The vulnerability is specifically induced at server/maps srv.js with the action removeBackground and at server/node upgrade srv.js with the action removeFirmware.

Recommendations For versions prior to 1.69, update to version 1.69 or later to resolve the issue. As a temporary workaround, consider restricting access to the server/maps srv.js and server/node upgrade srv.js files to minimize the risk of exploitation. Additionally, avoid using the removeBackground and removeFirmware actions in the affected API endpoints until the issue is resolved.