Search FAQs
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability (NMC3 RPDU2G)
Issue:
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists when an outlet user can create a “outlet link” which could allow the security token for a superuser to be forwarded to a machine controlled by the attacker, allowing the user to access the system with elevated privileges. Specifying all links as no referrer blocks the security token from being sent.
Product Lines:
Solution:
A firmware update has been made available to address CWE-79, and has been attached to this article. Please use the below chart to select the proper firmware version.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists when an outlet user can create a “outlet link” which could allow the security token for a superuser to be forwarded to a machine controlled by the attacker, allowing the user to access the system with elevated privileges. Specifying all links as no referrer blocks the security token from being sent.
Product Lines:
| Product | Version |
| AP7xxxx and AP8xxx with NMC2 | V6.9.6 or earlier |
| AP7xxx and AP8xxx with NMC3 | v1.1.0.3 or earlier |
| APDU9xxx with NMC3 | v1.0.0.28 or earlier |
Solution:
A firmware update has been made available to address CWE-79, and has been attached to this article. Please use the below chart to select the proper firmware version.
| AP7xxxx and AP8xxx with NMC2 | v7.0.6 of the Rack PDU firmware includes a fix for this vulnerability and is available for download here |
| AP7xxx and AP8xxx with NMC3 | v1.2.0.2 of the Rack PDU firmware includes a fix for this vulnerability and is available for download here |
| APDU9xxx with NMC3 | v1.2.0.2 of the Rack PDU firmware includes a fix for this vulnerability and is available for download here |
Released for:APC Singapore
Attachment(s)
Explore more
Explore more
