CVE-2021-26596
https://notcve.org/view.php?id=CVE-2021-26596
An issue was discovered in Nokia NetAct 18A. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used. Se detectó un problema en Nokia NetAct 18A. • https://www.gruppotim.it/redteam https://www.trusted-introducer.org/directory/teams/nokia-psirt.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-26597
https://notcve.org/view.php?id=CVE-2021-26597
An issue was discovered in Nokia NetAct 18A. A remote user, authenticated to the NOKIA NetAct Web Page, can visit the Site Configuration Tool web site section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value. Se detectó un problema en Nokia NetAct 18A. Un usuario remoto, autenticado en la página web de NOKIA NetAct, puede visitar la sección del sitio web de la Site Configuration Tool y cargar arbitrariamente archivos potencialmente peligrosos sin restricciones por medio del parámetro dir de /netact/sct junto con el valor operation=upload • https://www.gruppotim.it/redteam https://www.trusted-introducer.org/directory/teams/nokia-psirt.html • CWE-434: Unrestricted Upload of File with Dangerous Type •