APC Network Management Card web interface vulnerable to cross-site scripting and cross-site request forgery


"The web management interface for the APC Network Monitoring Card (NMC)
used in various APC devices contains cross-site scripting (XSS) and
cross-site request forgery (CSRF/XSRF) vulnerabilities. By convincing a
victim to load a specially crafted URL while authenticated to an NMC, an
attacker could obtain credentials or perform certain actions as the
victim, including turning off the NMC-based device and any systems
attached to it. "

"Update NMC firmware as specified by APC. Release notes indicate that
these vulnerabilities are addressed in firmware version 3.7.2 for
certain NMCs. APC has indicated that the vulnerabilities are also
addressed in firmware version 5.1.1."


It is recommended that APC units with web management interfaces be
upgraded to the latest firmware to avoid this vulnerability.
Alternatively, the web access could be turned off.