CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41355 – Chunghwa Telecom NOKIA G-040W-Q - Improper Input Validation
https://notcve.org/view.php?id=CVE-2023-41355
03 Nov 2023 — Chunghwa Telecom NOKIA G-040W-Q Firewall function has a vulnerability of input validation for ICMP redirect messages. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted package to modify the network routing table, resulting in a denial of service or sensitive information leaking. La función Chunghwa Telecom NOKIA G-040W-Q Firewall tiene una vulnerabilidad de validación de entrada para mensajes de redireccionamiento ICMP. Un atacante remoto no autenticado puede aprovechar ... • https://www.twcert.org.tw/tw/cp-132-7505-a0c94-1.html • CWE-20: Improper Input Validation CWE-940: Improper Verification of Source of a Communication Channel •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41354 – Chunghwa Telecom NOKIA G-040W-Q - Exposure of Sensitive Information
https://notcve.org/view.php?id=CVE-2023-41354
03 Nov 2023 — Chunghwa Telecom NOKIA G-040W-Q Firewall function does not block ICMP TIMESTAMP requests by default, an unauthenticated remote attacker can exploit this vulnerability by sending a crafted package, resulting in partially sensitive information exposed to an actor. La función Chunghwa Telecom NOKIA G-040W-Q Firewall no bloquea las solicitudes ICMP TIMESTAMP de forma predeterminada; un atacante remoto no autenticado puede explotar esta vulnerabilidad enviando un paquete manipulado, lo que resulta en información... • https://www.twcert.org.tw/tw/cp-132-7504-c6a5e-1.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41353 – Chunghwa Telecom NOKIA G-040W-Q - Weak Password Requirements
https://notcve.org/view.php?id=CVE-2023-41353
03 Nov 2023 — Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of weak password requirements. A remote attacker with regular user privilege can easily infer the administrator password from system information after logging system, resulting in admin access and performing arbitrary system operations or disrupt service. Chunghwa Telecom NOKIA G-040W-Q tiene una vulnerabilidad de requisitos de contraseña débiles. Un atacante remoto con privilegios de usuario normal puede inferir fácilmente la contraseña del administrador ... • https://www.twcert.org.tw/tw/cp-132-7503-a27ed-1.html • CWE-521: Weak Password Requirements •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41352 – Chunghwa Telecom NOKIA G-040W-Q - Command Injection
https://notcve.org/view.php?id=CVE-2023-41352
03 Nov 2023 — Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient filtering for user input. A remote attacker with administrator privilege can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services. Chunghwa Telecom NOKIA G-040W-Q tiene una vulnerabilidad de filtrado insuficiente para la entrada del usuario. Un atacante remoto con privilegios de administrador puede aprovechar esta vulnerabilidad para realizar un ataque de in... • https://www.twcert.org.tw/tw/cp-132-7502-287ec-1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41351 – Chunghwa Telecom NOKIA G-040W-Q - Broken Access Control
https://notcve.org/view.php?id=CVE-2023-41351
03 Nov 2023 — Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of authentication bypass, which allows an unauthenticated remote attacker to bypass the authentication mechanism to log in to the device by an alternative URL. This makes it possible for unauthenticated remote attackers to log in as any existing users, such as an administrator, to perform arbitrary system operations or disrupt service. Chunghwa Telecom NOKIA G-040W-Q tiene una vulnerabilidad de omisión de autenticación, que permite a un atacante remoto no ... • https://www.twcert.org.tw/tw/cp-132-7501-6155a-1.html • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41350 – Chunghwa Telecom NOKIA G-040W-Q - Excessive Authentication Attempts
https://notcve.org/view.php?id=CVE-2023-41350
03 Nov 2023 — Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient measures to prevent multiple failed authentication attempts. An unauthenticated remote attacker can execute a crafted Javascript to expose captcha in page, making it very easy for bots to bypass the captcha check and more susceptible to brute force attacks. Chunghwa Telecom NOKIA G-040W-Q tiene una vulnerabilidad de medidas insuficientes para evitar múltiples intentos fallidos de autenticación. Un atacante remoto no autenticado puede ejecut... • https://www.twcert.org.tw/tw/cp-132-7500-0c544-1.html • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0CVE-2023-22618
https://notcve.org/view.php?id=CVE-2023-22618
04 Oct 2023 — If Security Hardening guide rules are not followed, then Nokia WaveLite products allow a local user to create new users with administrative privileges by manipulating a web request. This affects (for example) WaveLite Metro 200 and Fan, WaveLite Metro 200 OPS and Fans, WaveLite Metro 200 and F2B fans, WaveLite Metro 200 OPS and F2B fans, WaveLite Metro 200 NE and F2B fans, and WaveLite Metro 200 NE OPS and F2B fans. Si no se siguen las reglas de la guía de refuerzo de seguridad, los productos Nokia WaveLite... • https://nokia.com • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2022-41763
https://notcve.org/view.php?id=CVE-2022-41763
05 Sep 2023 — An issue was discovered in NOKIA AMS 9.7.05. Remote Code Execution exists via the debugger of the ipAddress variable. A remote user, authenticated to the AMS server, could inject code in the PING function. The privileges of the command executed depend on the user that runs the service. Se ha descubierto un problema en NOKIA AMS v9.7.05. • https://www.gruppotim.it/it/footer/red-team.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-41376
https://notcve.org/view.php?id=CVE-2023-41376
29 Aug 2023 — Nokia Service Router Operating System (SR OS) 22.10 and SR Linux, when error-handling update-fault-tolerance is not enabled, mishandle BGP path attributes. • https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-28863
https://notcve.org/view.php?id=CVE-2022-28863
24 Jul 2023 — An issue was discovered in Nokia NetAct 22. A remote user, authenticated to the website, can visit the Site Configuration Tool section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value. • https://www.gruppotim.it/it/footer/red-team.html • CWE-434: Unrestricted Upload of File with Dangerous Type •