|HIO-2009-0415 APC NMC devices CSRF & XSS|
APC Network Management Card (NMC) based devices contain flaws that allow cross-site scripting and cross-site request forgery. This includes Switched Rack PDUs.
CSRF: The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. create administrative users, when a logged-in administrative user visits a malicious web page.
XSS: Input passed to various parameters is not properly sanitised before being returned to the user. These can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site
APC has implemented and released a firmware solution for the detailed issue on a large population of the devices, and continues to update applications with this update largely based on their population in the field.
When an update is available for each relevant application, APC will make each available to the general public via
our web site (www.apc.com).
US-CERT VU: 166739
Vendor Solution: Answer ID 10887
|< Prev||Next >|