CVE-2023-26057
https://notcve.org/view.php?id=CVE-2023-26057
An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. • https://nokia.com https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2022-01 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2023-26058
https://notcve.org/view.php?id=CVE-2023-26058
An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. • https://nokia.com https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2022-02 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2023-26059
https://notcve.org/view.php?id=CVE-2023-26059
An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user. • https://nokia.com https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2022-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-26060
https://notcve.org/view.php?id=CVE-2023-26060
An issue was discovered in Nokia NetAct before 22 FP2211. On the Working Set Manager page, users can create a Working Set with a name that has a client-side template injection payload. Input validation is missing during creation of the working set. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. • https://nokia.com https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2022-04 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-26061
https://notcve.org/view.php?id=CVE-2023-26061
An issue was discovered in Nokia NetAct before 22 FP2211. On the Scheduled Search tab under the Alarm Reports Dashboard page, users can create a script to inject XSS. Input validation was missing during creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. • https://nokia.com https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2022-05 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •