CVE-2023-26059
Stored Cross-Site Scripting (XSS) vulnerability in Nokia NetAct
Public disclosure |
28-02-2023 |
|---|---|
Last updated |
28-02-2023 |
Vulnerability type |
Cross-Site Scripting (XSS) |
CVSS vector |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N |
CVSS score |
6.8 |
Description
The Site Configuration tool in Nokia NetAct has an file upload function. Unfortunately it doesn’t validate the file contents. An malicious user may upload a zip file to exploit this Stored XSS vulnerability.
Noted that The application is in demilitarized zone behind perimeter firewall and without having exposure to internet. The exploitation of this vulnerability can only be performed by an internal user.
Affected products and versions
Product |
Versions |
|---|---|
NetAct |
NetAct 20, NetAct 22 |
Mitigation plan
Fix has been provided on top of NetAct 22.
Acknowledgements
- Vladimir Razov from Positive Technologies
- Aleksandr Ustinov from Positive Technologies
References
Change history : Initial version is published on 28-02-2023