PT-2022-9283 · Apc · Symmetra+18

Published

2022-01-28

·

Updated

2022-02-04

·

CVE-2021-22813

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions APC Smart-UPS, Symmetra, and Galaxy 3500 with Network Management Card 2 (NMC2) versions 6.9.8 and earlier APC Symmetra PX 250/500 (SYPX) Network Management Card 2 (NMC2) versions 6.9.6 and earlier APC Symmetra PX 48/96/100/160 kW UPS (PX2), Symmetra PX 20/40 kW UPS (SY3P), Gutor (SXW, GVX), and Galaxy (GVMTS, GVMSA, GVXTS, GVXSA, G7K, GFC, G9KCHU) with Network Management Card 2 (NMC2) versions 6.9.6 and earlier APC Smart-UPS, Symmetra, and Galaxy 3500 with Network Management Card 3 (NMC3) versions 1.4.2.1 and earlier APC Rack Power Distribution Units (PDU) using NMC2 2G Metered/Switched Rack PDUs with embedded NMC2 versions 6.9.6 and earlier APC Rack Power Distribution Units (PDU) using NMC3 2G Metered/Switched Rack PDUs with embedded NMC3 versions 1.4.0 and earlier APC 3-Phase Power Distribution Products using NMC2 Galaxy RPP versions 6.9.6 and earlier Network Management Card 2 (NMC2) for InfraStruxure 150 kVA PDU with 84 Poles (X84P) versions 6.9.6 and earlier Network Management Card 2 for InfraStruxure 40/60kVA PDU (XPDU) versions 6.9.6 and earlier Network Management Card 2 for Modular 150/175kVA PDU (XRDP) versions 6.9.6 and earlier Network Management Card 2 for 400 and 500 kVA (PMM) versions 6.9.6 and earlier Network Management Card 2 for Modular PDU (XRDP2G) versions 6.9.6 and earlier Rack Automatic Transfer Switches (ATS) Embedded NMC2 versions 6.9.6 and earlier Network Management Card 2 (NMC2) Cooling Products versions 6.9.6 and earlier Environmental Monitoring Unit with embedded NMC2 (NB250) versions 6.9.6 and earlier Network Management Card 2 (NMC2): AP9922 Battery Management System (BM4) versions 6.9.6 and earlier
Description A Cross-site Scripting vulnerability exists that could cause arbitrary script execution when a privileged account clicks on a malicious URL specifically crafted for the NMC pointing to an edit policy file.
Recommendations For NMC2 versions 6.9.8 and earlier, update to a version later than 6.9.8. For NMC2 versions 6.9.6 and earlier, update to a version later than 6.9.6. For NMC3 versions 1.4.2.1 and earlier, update to a version later than 1.4.2.1. For NMC3 versions 1.4.0 and earlier, update to a version later than 1.4.0. As a temporary workaround, consider disabling access to the edit policy file until a patch is available. Restrict access to the NMC to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-22813

Affected Products

400/500 Kva
Ap9922 Battery Management System
Apc Rack Power Distribution Units
Apc Smart-Ups
Apc Symmetra Px 250/500
Environmental Monitoring Unit With Embedded Nmc2
Galaxy
Galaxy 3500
Gutor
Infrastruxure 150 Kva Pdu With 84 Poles
Infrastruxure 40/60Kva Pdu
Modular 150/175Kva Pdu
Modular Pdu
Network Management Card 2
Network Management Card 3
Rack Automatic Transfer Switches
Symmetra
Symmetra Px 20/40 Kw Ups
Apc Symmetra Px 48/96/100/160 Kw Ups