CVE-2023-26060
https://notcve.org/view.php?id=CVE-2023-26060
An issue was discovered in Nokia NetAct before 22 FP2211. On the Working Set Manager page, users can create a Working Set with a name that has a client-side template injection payload. Input validation is missing during creation of the working set. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. • https://nokia.com https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2022-04 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-26061
https://notcve.org/view.php?id=CVE-2023-26061
An issue was discovered in Nokia NetAct before 22 FP2211. On the Scheduled Search tab under the Alarm Reports Dashboard page, users can create a script to inject XSS. Input validation was missing during creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. • https://nokia.com https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2022-05 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-26596
https://notcve.org/view.php?id=CVE-2021-26596
An issue was discovered in Nokia NetAct 18A. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used. Se detectó un problema en Nokia NetAct 18A. • https://www.gruppotim.it/redteam https://www.trusted-introducer.org/directory/teams/nokia-psirt.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-26597
https://notcve.org/view.php?id=CVE-2021-26597
An issue was discovered in Nokia NetAct 18A. A remote user, authenticated to the NOKIA NetAct Web Page, can visit the Site Configuration Tool web site section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value. Se detectó un problema en Nokia NetAct 18A. Un usuario remoto, autenticado en la página web de NOKIA NetAct, puede visitar la sección del sitio web de la Site Configuration Tool y cargar arbitrariamente archivos potencialmente peligrosos sin restricciones por medio del parámetro dir de /netact/sct junto con el valor operation=upload • https://www.gruppotim.it/redteam https://www.trusted-introducer.org/directory/teams/nokia-psirt.html • CWE-434: Unrestricted Upload of File with Dangerous Type •