CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0CVE-2023-22618
https://notcve.org/view.php?id=CVE-2023-22618
If Security Hardening guide rules are not followed, then Nokia WaveLite products allow a local user to create new users with administrative privileges by manipulating a web request. This affects (for example) WaveLite Metro 200 and Fan, WaveLite Metro 200 OPS and Fans, WaveLite Metro 200 and F2B fans, WaveLite Metro 200 OPS and F2B fans, WaveLite Metro 200 NE and F2B fans, and WaveLite Metro 200 NE OPS and F2B fans. Si no se siguen las reglas de la guía de refuerzo de seguridad, los productos Nokia WaveLite permiten a un usuario local crear nuevos usuarios con privilegios administrativos mediante la manipulación de una solicitud web. Esto afecta (por ejemplo) a: WaveLite Metro 200 and Fan, WaveLite Metro 200 OPS and Fans, WaveLite Metro 200 and F2B fans, WaveLite Metro 200 OPS and F2B fans, WaveLite Metro 200 NE and F2B fans, y WaveLite Metro 200 NE OPS and F2B fans. • https://nokia.com https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2023-22618 • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41763
https://notcve.org/view.php?id=CVE-2022-41763
An issue was discovered in NOKIA AMS 9.7.05. Remote Code Execution exists via the debugger of the ipAddress variable. A remote user, authenticated to the AMS server, could inject code in the PING function. The privileges of the command executed depend on the user that runs the service. Se ha descubierto un problema en NOKIA AMS v9.7.05. • https://www.gruppotim.it/it/footer/red-team.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-41376
https://notcve.org/view.php?id=CVE-2023-41376
Nokia Service Router Operating System (SR OS) 22.10 and SR Linux, when error-handling update-fault-tolerance is not enabled, mishandle BGP path attributes. • https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling https://news.ycombinator.com/item?id=37305800 https://www.nokia.com/networks/technologies/service-router-operating-system • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-28863
https://notcve.org/view.php?id=CVE-2022-28863
An issue was discovered in Nokia NetAct 22. A remote user, authenticated to the website, can visit the Site Configuration Tool section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value. • https://www.gruppotim.it/it/footer/red-team.html https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-28864
https://notcve.org/view.php?id=CVE-2022-28864
An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include malicious code, which is then downloaded as a .csv or .xlsx file and executed on a victim machine. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templateName parameter is used. • https://www.gruppotim.it/it/footer/red-team.html https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •