Strix
26.1K

CVE-2021-40223

MEDIUMCVSS 5.4/10EPSS 0.60%

Last modified

CVE-2021-40223 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Rittal CMC PU III Web management (version V3.11.00_2) fails to sanitize user input on several parameters of the configuration (User Configuration dialog, Task Configuration dialog and set logging filter dialog). This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts). EPSS estimates a 0.60% chance of exploitation in the next 30 days.

Description

Rittal CMC PU III Web management (version V3.11.00_2) fails to sanitize user input on several parameters of the configuration (User Configuration dialog, Task Configuration dialog and set logging filter dialog). This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts). The XSS payload will be triggered when the user accesses some specific sections of the application.

Metrics

CVSS 3.1
5.4/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Probability
0.60%

44.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
RittalCmc Pu Iii 7030.000 Firmware>= 3.11.00_2, < 3.17.10

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-40223?
Rittal CMC PU III Web management (version V3.11.00_2) fails to sanitize user input on several parameters of the configuration (User Configuration dialog, Task Configuration dialog and set logging filter dialog). This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts). The XSS payload will be triggered when the user accesses some specific sections of the application.
How severe is CVE-2021-40223?
CVE-2021-40223 has a CVSS score of 5.4/10 (MEDIUM severity). The EPSS model estimates a 0.60% probability of exploitation in the next 30 days.
How do I fix CVE-2021-40223?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-40223?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST