Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability (NMC3 RPDU2G)

Issue:
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists when an outlet user can create a “outlet link” which could allow the security token for a superuser to be forwarded to a machine controlled by the attacker, allowing the user to access the system with elevated privileges. Specifying all links as no referrer blocks the security token from being sent.

Product Lines:

Product	Version
AP7xxxx and AP8xxx with NMC2	V6.9.6 or earlier
AP7xxx and AP8xxx with NMC3	v1.1.0.3 or earlier
APDU9xxx with NMC3	v1.0.0.28 or earlier

Solution:
A firmware update has been made available to address CWE-79, and has been attached to this article. Please use the below chart to select the proper firmware version.

AP7xxxx and AP8xxx with NMC2	v7.0.6 of the Rack PDU firmware includes a fix for this vulnerability and is available for download here
AP7xxx and AP8xxx with NMC3	v1.2.0.2 of the Rack PDU firmware includes a fix for this vulnerability and is available for download here
APDU9xxx with NMC3	v1.2.0.2 of the Rack PDU firmware includes a fix for this vulnerability and is available for download here