Cross-Site Scripting Vulnerability in APC Switched Rack PDU AP7932
CVE-2009-4406

Currently unrated

Key Information:

Vendor

Apc

Status
Ap7932 B2 Firmware
Ap7932 B2
Vendor
CVE Published:
23 December 2009

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2009-4406?

An XSS vulnerability exists in the Forms/login1 component of the APC Switched Rack PDU AP7932, specifically affecting versions running rpdu 3.3.3 or 3.7.0 on AOS 3.3.4. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML via the login_username parameter, potentially compromising the security of users accessing the affected devices. If successfully exploited, attackers may execute malicious scripts in the context of the user’s session, leading to unauthorized access and further attacks.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2009-4406 - Proof of Concept

References

http://www.packetstormsecurity.org/0912-exploits/apc-xss.txt
x_refsource_MISC
http://www.securityfocus.com/archive/1/508468/100/0/threaded
mailing-listx_refsource_BUGTRAQ
http://www.securityfocus.com/bid/37338
vdb-entryx_refsource_BID

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.