CWE
79
Advisory Published
Updated

CVE-2021-22811: XSS

First published: Fri Jan 28 2022(Updated: )

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause script execution when the request of a privileged account accessing the vulnerable web page is intercepted. Affected Products: 1-Phase Uninterruptible Power Supply (UPS) using NMC2 including Smart-UPS, Symmetra, and Galaxy 3500 with Network Management Card 2 (NMC2): AP9630/AP9630CH/AP9630J, AP9631/AP9631CH/AP9631J, AP9635/AP9635J (NMC2 AOS V6.9.8 and earlier), 3-Phase Uninterruptible Power Supply (UPS) using NMC2 including Symmetra PX 250/500 (SYPX) Network Management Card 2 (NMC2): AP9630/AP9630CH/AP9630J, AP9631/AP9631CH/AP9631J, AP9635/AP9635J (NMC2 AOS V6.9.6 and earlier), 3-Phase Uninterruptible Power Supply (UPS) using NMC2 including Symmetra PX 48/96/100/160 kW UPS (PX2), Symmetra PX 20/40 kW UPS (SY3P), Gutor (SXW, GVX), and Galaxy (GVMTS, GVMSA, GVXTS, GVXSA, G7K, GFC, G9KCHU): AP9630/AP9630CH/AP9630J, AP9631/AP9631CH/AP9631J, AP9635/AP9635CH (NMC2 AOS V6.9.6 and earlier), 1-Phase Uninterruptible Power Supply (UPS) using NMC3 including Smart-UPS, Symmetra, and Galaxy 3500 with Network Management Card 3 (NMC3): AP9640/AP9640J, AP9641/AP9641J, AP9643/AP9643J (NMC3 AOS V1.4.2.1 and earlier), APC Rack Power Distribution Units (PDU) using NMC2 2G Metered/Switched Rack PDUs with embedded NMC2: AP84XX, AP86XX, AP88XX, AP89XX (NMC2 AOS V6.9.6 and earlier), APC Rack Power Distribution Units (PDU) using NMC3 2G Metered/Switched Rack PDUs with embedded NMC3: APDU99xx (NMC3 AOS V1.4.0 and earlier), APC 3-Phase Power Distribution Products using NMC2 Galaxy RPP: GRPPIP2X84 (NMC2 AOS V6.9.6 and earlier), Network Management Card 2 (NMC2) for InfraStruxure 150 kVA PDU with 84 Poles (X84P): PDPB150G6F (NMC2 AOS V6.9.6 and earlier), Network Management Card 2 for InfraStruxure 40/60kVA PDU (XPDU) PD40G6FK1-M, PD40F6FK1-M, PD40L6FK1-M, PDRPPNX10 M,PD60G6FK1, PD60F6FK1, PD60L6FK1, PDRPPNX10, PD40E5EK20-M, PD40H5EK20-M (NMC2 AOS V6.9.6 and earlier), Network Management Card 2 for Modular 150/175kVA PDU (XRDP): PDPM150G6F, PDPM150L6F, PDPM175G6H (NMC2 AOS V6.9.6 and earlier), Network Management Card 2 for 400 and 500 kVA (PMM): PMM400-ALA, PMM400-ALAX, PMM400-CUB, PMM500-ALA, PMM500-ALAX, PMM500-CUB (NMC2 AOS V6.9.6 and earlier), Network Management Card 2 for Modular PDU (XRDP2G): PDPM72F-5U, PDPM138H-5U, PDPM144F, PDPM138H-R, PDPM277H, PDPM288G6H (NMC2 AOS V6.9.6 and earlier), Rack Automatic Transfer Switches (ATS) Embedded NMC2: Rack Automatic Transfer Switches - AP44XX (ATS4G) (NMC2 AOS V6.9.6 and earlier), Network Management Card 2 (NMC2) Cooling Products: InRow Cooling for series ACRP5xx, ACRP1xx, ACRD5xx, and ACRC5xx SKUs (ACRP2G), InRow Cooling for series ACRC10x SKUs (RC10X2G), InRow Cooling for series ACRD6xx and ACRC6xx SKUs (ACRD2G), InRow Cooling Display for series ACRD3xx (ACRC2G), InRow Cooling for series ACSC1xx SKUs (SC2G), InRow Cooling for series ACRD1xx and ACRD2xx (ACRPTK2G), Ecoflair IAEC25/50 Air Economizer Display (EB2G), Uniflair SP UCF0481I, UCF0341I (UNFLRSP), Uniflair LE DX Perimeter Cooling Display for SKUs: IDAV, IDEV, IDWV, IUAV, IUEV, IUWV, IXAV, IXEV, IXWV, LDAV, LDEV, and LDWV (LEDX2G), Refrigerant Distribution Unit: ACDA9xx (RDU) (NMC2 AOS V6.9.6 and earlier), Environmental Monitoring Unit with embedded NMC2 (NB250): NetBotz NBRK0250 (NMC2 AOS V6.9.6 and earlier), and Network Management Card 2 (NMC2): AP9922 Battery Management System (BM4) (NMC2 AOS V6.9.6 and earlier)

Credit: cybersecurity@se.com

Affected SoftwareAffected VersionHow to fix
Schneider-electric Network Management Card 2 Firmware<=6.9.8
Schneider-electric Galaxy 3500
Schneider-electric Network Management Card 2
Schneider-electric Single-phase Symmetra
Schneider-electric Smart-ups
Schneider-electric Network Management Card 2 Firmware<=6.9.6
Schneider-electric Ap9922 Battery Management System
Schneider-electric Apc Rack Power Distribution Units
Schneider-electric Galaxy G7x
Schneider-electric Galaxy G9kchu
Schneider-electric Galaxy Gcxsa
Schneider-electric Galaxy Gfc
Schneider-electric Galaxy Gvmsa
Schneider-electric Galaxy Gvmts
Schneider-electric Galaxy Gvxts
Schneider-electric Galaxy Rpp Grppip2x84
Schneider-electric Gutor Gvx
Schneider-electric Gutor Sxw
Schneider-electric Netbotz Nbrk0250
Schneider-electric Pd40e5ek20-m
Schneider-electric Pd40f6fk1-m
Schneider-electric Pd40g6fk1-m
Schneider-electric Pd40h5ek20-m
Schneider-electric Pd40l6fk1-m
Schneider-electric Pd60f6fk1
Schneider-electric Pd60g6fk1
Schneider-electric Pd60l6fk1
Schneider-electric Pdpb150g6f
Schneider-electric Pdpm138h-5u
Schneider-electric Pdpm138h-r
Schneider-electric Pdpm144f
Schneider-electric Pdpm150g6f
Schneider-electric Pdpm150l6f
Schneider-electric Pdpm175g6h
Schneider-electric Pdpm277h
Schneider-electric Pdpm288g6h
Schneider-electric Pdpm72f-5u
Schneider-electric Pdrppnx10
Schneider-electric Pdrppnx10m
Schneider-electric Pmm400-ala
Schneider-electric Pmm400-alax
Schneider-electric Pmm400-cub
Schneider-electric Pmm500-ala
Schneider-electric Pmm500-alax
Schneider-electric Pmm500-cub
Schneider-electric Rack Automatic Transfer Switches
Schneider-electric Symmetra Px 100
Schneider-electric Symmetra Px 160
Schneider-electric Symmetra Px 20
Schneider-electric Symmetra Px 250
Schneider-electric Symmetra Px 40
Schneider-electric Symmetra Px 48
Schneider-electric Symmetra Px 500
Schneider-electric Symmetra Px 96
Schneider-electric Network Management Card 3 Firmware<=1.4.2.1
Schneider-electric Network Management Card 3
Schneider-electric Network Management Card 3 Firmware<=1.4.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203