CVE-2022-43675
https://notcve.org/view.php?id=CVE-2022-43675
An issue was discovered in NOKIA NFM-T R19.9. Reflected XSS in the Network Element Manager exists via /oms1350/pages/otn/cpbLogDisplay via the filename parameter, under /oms1350/pages/otn/connection/E2ERoutingDisplayWithOverLay via the id parameter, and under /oms1350/pages/otn/mainOtn via all parameters. Se descubrió un problema en NOKIA NFM-T R19.9. El XSS reflejado en Network Element Manager existe a través de /oms1350/pages/otn/cpbLogDisplay a través del parámetro filename, en /oms1350/pages/otn/connection/E2ERoutingDisplayWithOverLay a través del parámetro id y en /oms1350/pages/otn/mainOtn a través de todos los parámetros. • https://www.gruppotim.it/redteam • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-39822
https://notcve.org/view.php?id=CVE-2022-39822
In NOKIA NFM-T R19.9, a SQL Injection vulnerability occurs in /cgi-bin/R19.9/easy1350.pl of the VM Manager WebUI via the id or host HTTP GET parameter. An authenticated attacker is required for exploitation. En NOKIA NFM-T R19.9, se produce una vulnerabilidad de inyección SQL en /cgi-bin/R19.9/easy1350.pl de la interfaz web de VM Manager a través del parámetro GET HTTP id o host. Se requiere un atacante autenticado para la explotación. • https://www.gruppotim.it/it/footer/red-team.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2022-39820
https://notcve.org/view.php?id=CVE-2022-39820
In Network Element Manager in NOKIA NFM-T R19.9, an Unprotected Storage of Credentials vulnerability occurs under /root/RestUploadManager.xml.DRC and /DEPOT/KECustom_199/OTNE_DRC/RestUploadManager.xml. A remote user, authenticated to the operating system, with access privileges to the directory /root or /DEPOT, is able to read cleartext credentials to access the web portal NFM-T and control all the PPS Network elements. En Network Element Manager en NOKIA NFM-T R19.9, se produce una vulnerabilidad de almacenamiento de credenciales desprotegidas en /root/RestUploadManager.xml.DRC y /DEPOT/KECustom_199/OTNE_DRC/RestUploadManager.xml. Un usuario remoto, autenticado en el sistema operativo, con privilegios de acceso al directorio /root o /DEPOT, puede leer credenciales en texto plano para acceder al portal web NFM-T y controlar todos los elementos de la red PPS. • https://www.gruppotim.it/it/footer/red-team.html • CWE-522: Insufficiently Protected Credentials •
CVE-2022-41760
https://notcve.org/view.php?id=CVE-2022-41760
An issue was discovered in NOKIA NFM-T R19.9. Relative Path Traversal can occur under /oms1350/data/cpb/log of the Network Element Manager via the filename parameter, allowing a remote authenticated attacker to read arbitrary files. Se descubrió un problema en NOKIA NFM-T R19.9. El Path Traversal relativo puede ocurrir en /oms1350/data/cpb/log de Network Element Manager a través del parámetro filename, lo que permite a un atacante remoto autenticado leer archivos arbitrarios. • https://www.gruppotim.it/it/footer/red-team.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-41762
https://notcve.org/view.php?id=CVE-2022-41762
An issue was discovered in NOKIA NFM-T R19.9. Multiple Reflected XSS vulnerabilities exist in the Network Element Manager via any parameter to log.pl, the bench or pid parameter to top.pl, or the id parameter to easy1350.pl. Se descubrió un problema en NOKIA NFM-T R19.9. Existen múltiples vulnerabilidades de XSS reflejado en Network Element Manager a través de cualquier parámetro de log.pl, el parámetro bench o pid de top.pl o el parámetro id de easy1350.pl. • https://www.gruppotim.it/it/footer/red-team.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •