| HIO-2009-0415 APC NMC devices CSRF & XSS |
|
|
|
|
APC Network Management Card (NMC) based devices contain flaws that allow cross-site scripting and cross-site request forgery. This includes Switched Rack PDUs. CSRF: The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. create administrative users, when a logged-in administrative user visits a malicious web page. XSS: Input passed to various parameters is not properly sanitised before being returned to the user. These can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site APC has implemented and released a firmware solution for the detailed issue on a large population of the devices, and continues to update applications with this update largely based on their population in the field. When an update is available for each relevant application, APC will make each available to the general public via our web site (www.apc.com). References: BID: 37338 FrSIRT: N/A Nessus:N/A SA: 37744 SecurityTracker: 1023388 US-CERT VU: 166739 XF: 54824 Related: Vendor Solution: Answer ID 10887 |
| < Prev | Next > |
|---|