CVE-2021-22810

Name of the Vulnerable Software and Affected Versions APC Smart-UPS, Symmetra, and Galaxy 3500 with Network Management Card 2 (NMC2) versions 6.9.8 and earlier APC Symmetra PX 250/500 (SYPX) Network Management Card 2 (NMC2) versions 6.9.6 and earlier APC Symmetra PX 48/96/100/160 kW UPS (PX2), Symmetra PX 20/40 kW UPS (SY3P), Gutor (SXW, GVX), and Galaxy (GVMTS, GVMSA, GVXTS, GVXSA, G7K, GFC, G9KCHU) with Network Management Card 2 (NMC2) versions 6.9.6 and earlier APC Smart-UPS, Symmetra, and Galaxy 3500 with Network Management Card 3 (NMC3) versions 1.4.2.1 and earlier APC Rack Power Distribution Units (PDU) using NMC2 2G Metered/Switched Rack PDUs with embedded NMC2 versions 6.9.6 and earlier APC Rack Power Distribution Units (PDU) using NMC3 2G Metered/Switched Rack PDUs with embedded NMC3 versions 1.4.0 and earlier APC 3-Phase Power Distribution Products using NMC2 Galaxy RPP versions 6.9.6 and earlier Network Management Card 2 (NMC2) for InfraStruxure 150 kVA PDU with 84 Poles (X84P) versions 6.9.6 and earlier Network Management Card 2 for InfraStruxure 40/60kVA PDU (XPDU) versions 6.9.6 and earlier Network Management Card 2 for Modular 150/175kVA PDU (XRDP) versions 6.9.6 and earlier Network Management Card 2 for 400 and 500 kVA (PMM) versions 6.9.6 and earlier Network Management Card 2 for Modular PDU (XRDP2G) versions 6.9.6 and earlier Rack Automatic Transfer Switches (ATS) Embedded NMC2 versions 6.9.6 and earlier Network Management Card 2 (NMC2) Cooling Products versions 6.9.6 and earlier Environmental Monitoring Unit with embedded NMC2 (NB250) versions 6.9.6 and earlier Network Management Card 2 (NMC2): AP9922 Battery Management System (BM4) versions 6.9.6 and earlier

Description A Cross-site Scripting vulnerability exists that could cause arbitrary script execution when a privileged account clicks on a malicious URL specifically crafted for the NMC pointing to a delete policy file.

Recommendations For NMC2 versions 6.9.8 and earlier, update to a version later than 6.9.8. For NMC2 versions 6.9.6 and earlier, update to a version later than 6.9.6. For NMC3 versions 1.4.2.1 and earlier, update to a version later than 1.4.2.1. For NMC3 versions 1.4.0 and earlier, update to a version later than 1.4.0. As a temporary workaround, consider disabling the delete policy file feature until a patch is available. Restrict access to the NMC to minimize the risk of exploitation. Avoid using malicious URLs that could trigger the vulnerability until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability for some products, so it is recommended to follow the general security best practices to minimize the risk of exploitation.