CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26057
https://notcve.org/view.php?id=CVE-2023-26057
25 Apr 2023 — An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. • https://nokia.com • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26058
https://notcve.org/view.php?id=CVE-2023-26058
25 Apr 2023 — An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. • https://nokia.com • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26059
https://notcve.org/view.php?id=CVE-2023-26059
24 Apr 2023 — An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user. • https://nokia.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26061
https://notcve.org/view.php?id=CVE-2023-26061
24 Apr 2023 — An issue was discovered in Nokia NetAct before 22 FP2211. On the Scheduled Search tab under the Alarm Reports Dashboard page, users can create a script to inject XSS. Input validation was missing during creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. • https://nokia.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •