CVE-2022-28864

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include malicious code, which is then downloaded as a .csv or .xlsx file and executed on a victim machine. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templateName parameter is used.

*Credits: N/A

CVSS Scores

NISTv3.1 8.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-04-08 CVE Reserved
2023-07-24 CVE Published
2024-07-30 EPSS Updated
2024-10-24 CVE Updated
2024-10-24 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-1236: Improper Neutralization of Formula Elements in a CSV File

CAPEC

References (2)

URL	Tag	Source
https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html	Not Applicable

URL	Date	SRC
https://www.gruppotim.it/it/footer/red-team.html	2024-10-24

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nokia Search vendor "Nokia"		Netact Search vendor "Nokia" for product "Netact"				22.0.0.62 Search vendor "Nokia" for product "Netact" and version "22.0.0.62"		-		Affected