cvelistv5 - cve-2009-1798

CVE-2009-1798 (GCVE-0-2009-1798)

Vulnerability from cvelistv5 – Published: 2009-12-28 19:00 – Updated: 2024-09-17 03:48

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://holisticinfosec.org/content/view/111/45/	x_refsource_MISC
	http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/endu…	x_refsource_CONFIRM
	http://www.kb.cert.org/vuls/id/166739	third-party-advisoryx_refsource_CERT-VN
	http://secunia.com/advisories/37744	third-party-advisoryx_refsource_SECUNIA

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T05:27:54.397Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://holisticinfosec.org/content/view/111/45/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887"
          },
          {
            "name": "VU#166739",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "http://www.kb.cert.org/vuls/id/166739"
          },
          {
            "name": "37744",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/37744"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2009-12-28T19:00:00Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://holisticinfosec.org/content/view/111/45/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887"
        },
        {
          "name": "VU#166739",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "http://www.kb.cert.org/vuls/id/166739"
        },
        {
          "name": "37744",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/37744"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2009-1798",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://holisticinfosec.org/content/view/111/45/",
              "refsource": "MISC",
              "url": "http://holisticinfosec.org/content/view/111/45/"
            },
            {
              "name": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887",
              "refsource": "CONFIRM",
              "url": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887"
            },
            {
              "name": "VU#166739",
              "refsource": "CERT-VN",
              "url": "http://www.kb.cert.org/vuls/id/166739"
            },
            {
              "name": "37744",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/37744"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2009-1798",
    "datePublished": "2009-12-28T19:00:00Z",
    "dateReserved": "2009-05-26T00:00:00Z",
    "dateUpdated": "2024-09-17T03:48:35.279Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:apc:network_management_card:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B549D2FA-E74F-4674-8D2E-B8C605EE0FD2\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:apc:switched_rack_pdu:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6CCDBFB0-6726-4988-A59E-234C88EB04D0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406.\"}, {\"lang\": \"es\", \"value\": \"M\\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Network Management Card (NMC) para dispositivos American Power Conversion (APC) Switched Rack PDU (tambi\\u00e9n conocido como Rack Mount Power Distribution) y otros dispositivos permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\\u00f3n medisnte vectores no especificados. NOTA: el vector login_username para Forms/login1 est\\u00e1 ya cubierto por CVE-2009-4406.\"}]",
      "id": "CVE-2009-1798",
      "lastModified": "2024-11-21T01:03:24.260",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2009-12-28T19:30:00.267",
      "references": "[{\"url\": \"http://holisticinfosec.org/content/view/111/45/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/37744\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.kb.cert.org/vuls/id/166739\", \"source\": \"cve@mitre.org\", \"tags\": [\"US Government Resource\"]}, {\"url\": \"http://holisticinfosec.org/content/view/111/45/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/37744\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.kb.cert.org/vuls/id/166739\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"US Government Resource\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2009-1798\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2009-12-28T19:30:00.267\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406.\"},{\"lang\":\"es\",\"value\":\"M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Network Management Card (NMC) para dispositivos American Power Conversion (APC) Switched Rack PDU (tambi\u00e9n conocido como Rack Mount Power Distribution) y otros dispositivos permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n medisnte vectores no especificados. NOTA: el vector login_username para Forms/login1 est\u00e1 ya cubierto por CVE-2009-4406.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:apc:network_management_card:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B549D2FA-E74F-4674-8D2E-B8C605EE0FD2\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:apc:switched_rack_pdu:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6CCDBFB0-6726-4988-A59E-234C88EB04D0\"}]}]}],\"references\":[{\"url\":\"http://holisticinfosec.org/content/view/111/45/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/37744\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.kb.cert.org/vuls/id/166739\",\"source\":\"cve@mitre.org\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://holisticinfosec.org/content/view/111/45/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/37744\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.kb.cert.org/vuls/id/166739\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]}]}}"
  }
}

GSD-2009-1798

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2009-1798

Aliases

CVE-2009-1798

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2009-1798",
    "description": "Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406.",
    "id": "GSD-2009-1798"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2009-1798"
      ],
      "details": "Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406.",
      "id": "GSD-2009-1798",
      "modified": "2023-12-13T01:19:47.527447Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2009-1798",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://holisticinfosec.org/content/view/111/45/",
            "refsource": "MISC",
            "url": "http://holisticinfosec.org/content/view/111/45/"
          },
          {
            "name": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887",
            "refsource": "CONFIRM",
            "url": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887"
          },
          {
            "name": "VU#166739",
            "refsource": "CERT-VN",
            "url": "http://www.kb.cert.org/vuls/id/166739"
          },
          {
            "name": "37744",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/37744"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:apc:network_management_card:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:apc:switched_rack_pdu:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2009-1798"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "VU#166739",
              "refsource": "CERT-VN",
              "tags": [
                "US Government Resource"
              ],
              "url": "http://www.kb.cert.org/vuls/id/166739"
            },
            {
              "name": "37744",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/37744"
            },
            {
              "name": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887"
            },
            {
              "name": "http://holisticinfosec.org/content/view/111/45/",
              "refsource": "MISC",
              "tags": [],
              "url": "http://holisticinfosec.org/content/view/111/45/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2010-06-29T04:00Z",
      "publishedDate": "2009-12-28T19:30Z"
    }
  }
}

GHSA-F4C8-X8GV-8VPM

Vulnerability from github – Published: 2022-05-02 03:28 – Updated: 2025-04-09 04:17

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2009-1798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-12-28T19:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406.",
  "id": "GHSA-f4c8-x8gv-8vpm",
  "modified": "2025-04-09T04:17:42Z",
  "published": "2022-05-02T03:28:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1798"
    },
    {
      "type": "WEB",
      "url": "http://holisticinfosec.org/content/view/111/45"
    },
    {
      "type": "WEB",
      "url": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/37744"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/166739"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

VAR-200912-0431

Vulnerability from variot - Updated: 2023-12-18 12:52

Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it. An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks. The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. Versions prior to the following are vulnerable: Network Management Card Firmware 3.7.2 Network Management Card Firmware 5.1.1. ----------------------------------------------------------------------

Do you have VARM strategy implemented?

(Vulnerability Assessment Remediation Management)

If not, then implement it through the most reliable vulnerability intelligence source on the market.

Implement it through Secunia.

1) Input passed to various parameters (e.g. the "login_username" parameter in Forms/login1) is not properly sanitised before being returned to the user.

2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. create administrative users by tricking a logged-in administrative user into visiting a malicious web site.

Vulnerability #1 is reported in APC AP7932 Switched Rack PDU version 3.3.4 with application module version 3.7.0. Other APC NMC products and versions may also be affected.

SOLUTION: Filter malicious characters and character sequences using a proxy. Do not browse untrusted websites and do not follow untrusted links.

Apply updated firmware versions when available. Contact the vendor for additional details.

PROVIDED AND/OR DISCOVERED BY: Russ McRee, HolisticInfoSec.

Vulnerability #1 also independently discovered by Jamal Pecou.

ORIGINAL ADVISORY: HolisticInfoSec: http://holisticinfosec.org/content/view/111/45/

APC: http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1

Jamal Pecou: http://archives.neohapsis.com/archives/bugtraq/current/0219.html

OTHER REFERENCES: US-CERT VU#166739: http://www.kb.cert.org/vuls/id/166739

About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.

Subscribe: http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.

Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200912-0431",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "network management card",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apc",
        "version": "*"
      },
      {
        "model": "switched rack pdu",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apc",
        "version": "*"
      },
      {
        "model": null,
        "scope": null,
        "trust": 0.8,
        "vendor": "american power conversion corp",
        "version": null
      },
      {
        "model": "apc network management card",
        "scope": null,
        "trust": 0.8,
        "vendor": "schneider electric former name",
        "version": null
      },
      {
        "model": "apc switched rack pdu",
        "scope": null,
        "trust": 0.8,
        "vendor": "schneider electric former name",
        "version": null
      },
      {
        "model": "network management card",
        "scope": null,
        "trust": 0.6,
        "vendor": "apc",
        "version": null
      },
      {
        "model": "switched rack pdu ap7932",
        "scope": null,
        "trust": 0.3,
        "vendor": "apc",
        "version": null
      },
      {
        "model": "network management card",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apc",
        "version": "0"
      },
      {
        "model": "network management card",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "apc",
        "version": "5.1.1"
      },
      {
        "model": "network management card",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "apc",
        "version": "3.7.2"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#166739"
      },
      {
        "db": "BID",
        "id": "37338"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-002513"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1798"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200912-358"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:apc:network_management_card:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:apc:switched_rack_pdu:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-1798"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Jamal Pecou, Russ McRee",
    "sources": [
      {
        "db": "BID",
        "id": "37338"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200912-358"
      }
    ],
    "trust": 0.9
  },
  "cve": "CVE-2009-1798",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.3,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2009-1798",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "VHN-39244",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2009-1798",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200912-358",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-39244",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-39244"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-002513"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1798"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200912-358"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it. \nAn attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks. \nThe attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. \nVersions prior to the following are vulnerable:\nNetwork Management Card Firmware 3.7.2\nNetwork Management Card Firmware 5.1.1. ----------------------------------------------------------------------\n\nDo you have VARM strategy implemented?\n\n(Vulnerability Assessment Remediation Management)  \n\nIf not, then implement it through the most reliable vulnerability\nintelligence source on the market. \n\nImplement it through Secunia. \n\n1) Input passed to various parameters (e.g. the \"login_username\"\nparameter in Forms/login1) is not properly sanitised before being\nreturned to the user. \n\n2) The application allows users to perform certain actions via HTTP\nrequests without performing any validity checks to verify the\nrequest. This can be exploited to e.g. create administrative users by\ntricking a logged-in administrative user into visiting a malicious web\nsite. \n\nVulnerability #1 is reported in APC AP7932 Switched Rack PDU version\n3.3.4 with application module version 3.7.0. Other APC NMC products\nand versions may also be affected. \n\nSOLUTION:\nFilter malicious characters and character sequences using a proxy. Do\nnot browse untrusted websites and do not follow untrusted links. \n\nApply updated firmware versions when available. Contact the vendor\nfor additional details. \n\nPROVIDED AND/OR DISCOVERED BY:\nRuss McRee, HolisticInfoSec. \n\nVulnerability #1 also independently discovered by Jamal Pecou. \n\nORIGINAL ADVISORY:\nHolisticInfoSec:\nhttp://holisticinfosec.org/content/view/111/45/\n\nAPC:\nhttp://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887\u0026p_created=1261587018\u0026p_topview=1\n\nJamal Pecou:\nhttp://archives.neohapsis.com/archives/bugtraq/current/0219.html\n\nOTHER REFERENCES:\nUS-CERT VU#166739:\nhttp://www.kb.cert.org/vuls/id/166739\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-1798"
      },
      {
        "db": "CERT/CC",
        "id": "VU#166739"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-002513"
      },
      {
        "db": "BID",
        "id": "37338"
      },
      {
        "db": "VULHUB",
        "id": "VHN-39244"
      },
      {
        "db": "PACKETSTORM",
        "id": "84238"
      }
    ],
    "trust": 2.79
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-39244",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-39244"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "CERT/CC",
        "id": "VU#166739",
        "trust": 3.1
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1798",
        "trust": 2.8
      },
      {
        "db": "SECUNIA",
        "id": "37744",
        "trust": 2.7
      },
      {
        "db": "BID",
        "id": "37338",
        "trust": 1.9
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-002513",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200912-358",
        "trust": 0.7
      },
      {
        "db": "EXPLOIT-DB",
        "id": "33405",
        "trust": 0.1
      },
      {
        "db": "SEEBUG",
        "id": "SSVID-86627",
        "trust": 0.1
      },
      {
        "db": "VULHUB",
        "id": "VHN-39244",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "84238",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#166739"
      },
      {
        "db": "VULHUB",
        "id": "VHN-39244"
      },
      {
        "db": "BID",
        "id": "37338"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-002513"
      },
      {
        "db": "PACKETSTORM",
        "id": "84238"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1798"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200912-358"
      }
    ]
  },
  "id": "VAR-200912-0431",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-39244"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T12:52:37.013000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "10887",
        "trust": 0.8,
        "url": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-002513"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-39244"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-002513"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1798"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.9,
        "url": "http://holisticinfosec.org/content/view/111/45/"
      },
      {
        "trust": 2.5,
        "url": "http://secunia.com/advisories/37744"
      },
      {
        "trust": 2.3,
        "url": "http://www.kb.cert.org/vuls/id/166739"
      },
      {
        "trust": 1.7,
        "url": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887"
      },
      {
        "trust": 1.2,
        "url": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887\u0026p_created=1261587018\u0026p_topview=1"
      },
      {
        "trust": 0.8,
        "url": "http://www.securityfocus.com/archive/1/508468/30/60/threaded"
      },
      {
        "trust": 0.8,
        "url": "http://www.securityfocus.com/archive/1/508468/100/0/threaded"
      },
      {
        "trust": 0.8,
        "url": "http://www.securityfocus.com/bid/37338/info"
      },
      {
        "trust": 0.8,
        "url": "http://www.apcmedia.com/salestools/pmar-82bmh5_r0_en.zip"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1798"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/cert/jvnvu166739/index.html"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1798"
      },
      {
        "trust": 0.8,
        "url": "http://www.securityfocus.com/bid/37338"
      },
      {
        "trust": 0.3,
        "url": "http://www.apc.com"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/37744/"
      },
      {
        "trust": 0.1,
        "url": "http://archives.neohapsis.com/archives/bugtraq/current/0219.html"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/secunia_security_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/about_secunia_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/business_solutions/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#166739"
      },
      {
        "db": "VULHUB",
        "id": "VHN-39244"
      },
      {
        "db": "BID",
        "id": "37338"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-002513"
      },
      {
        "db": "PACKETSTORM",
        "id": "84238"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1798"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200912-358"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CERT/CC",
        "id": "VU#166739"
      },
      {
        "db": "VULHUB",
        "id": "VHN-39244"
      },
      {
        "db": "BID",
        "id": "37338"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-002513"
      },
      {
        "db": "PACKETSTORM",
        "id": "84238"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1798"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200912-358"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2010-02-25T00:00:00",
        "db": "CERT/CC",
        "id": "VU#166739"
      },
      {
        "date": "2009-12-28T00:00:00",
        "db": "VULHUB",
        "id": "VHN-39244"
      },
      {
        "date": "2009-12-15T00:00:00",
        "db": "BID",
        "id": "37338"
      },
      {
        "date": "2010-03-12T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-002513"
      },
      {
        "date": "2009-12-29T10:24:08",
        "db": "PACKETSTORM",
        "id": "84238"
      },
      {
        "date": "2009-12-28T19:30:00.267000",
        "db": "NVD",
        "id": "CVE-2009-1798"
      },
      {
        "date": "2009-12-28T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200912-358"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2010-04-29T00:00:00",
        "db": "CERT/CC",
        "id": "VU#166739"
      },
      {
        "date": "2010-06-29T00:00:00",
        "db": "VULHUB",
        "id": "VHN-39244"
      },
      {
        "date": "2010-02-25T17:41:00",
        "db": "BID",
        "id": "37338"
      },
      {
        "date": "2010-03-12T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-002513"
      },
      {
        "date": "2010-06-29T04:00:00",
        "db": "NVD",
        "id": "CVE-2009-1798"
      },
      {
        "date": "2009-12-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200912-358"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200912-358"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "APC Network Management Card web interface vulnerable to cross-site scripting and cross-site request forgery",
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#166739"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "XSS",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200912-358"
      }
    ],
    "trust": 0.6
  }
}

FKIE_CVE-2009-1798

Vulnerability from fkie_nvd - Published: 2009-12-28 19:30 - Updated: 2025-04-09 00:30

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://holisticinfosec.org/content/view/111/45/
cve@mitre.org	http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887	Vendor Advisory
cve@mitre.org	http://secunia.com/advisories/37744	Vendor Advisory
cve@mitre.org	http://www.kb.cert.org/vuls/id/166739	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://holisticinfosec.org/content/view/111/45/
af854a3a-2127-422b-91ae-364da2661108	http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/37744	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.kb.cert.org/vuls/id/166739	US Government Resource

Impacted products

	Vendor	Product	Version
	apc	network_management_card	*
	apc	switched_rack_pdu	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:apc:network_management_card:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B549D2FA-E74F-4674-8D2E-B8C605EE0FD2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:apc:switched_rack_pdu:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6CCDBFB0-6726-4988-A59E-234C88EB04D0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Network Management Card (NMC) para dispositivos American Power Conversion (APC) Switched Rack PDU (tambi\u00e9n conocido como Rack Mount Power Distribution) y otros dispositivos permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n medisnte vectores no especificados. NOTA: el vector login_username para Forms/login1 est\u00e1 ya cubierto por CVE-2009-4406."
    }
  ],
  "id": "CVE-2009-1798",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2009-12-28T19:30:00.267",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://holisticinfosec.org/content/view/111/45/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/37744"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/166739"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://holisticinfosec.org/content/view/111/45/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/37744"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/166739"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2009-1798 (GCVE-0-2009-1798)

GSD-2009-1798

GHSA-F4C8-X8GV-8VPM

VAR-200912-0431

FKIE_CVE-2009-1798

Tags

Sightings

Nomenclature