CVE-2023-26060
Cross Site Template Injection Vulnerability in Nokia NetAct
Public disclosure |
28-02-2023 |
|---|---|
Last updated |
28-02-2023 |
Vulnerability type |
Cross Site Template Injection |
CVSS vector |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N |
CVSS score |
6.8 |
Description
In NetAct working set manager, input validation is not properly implemented in creating a working set function. This vulnerability may result in injecting a client side template injection payloads when NetAct users create a working set with malicious codes in the name.
This vulnerability is very difficult to be exploited from external, because a few dynamically created parameters (e.g. Jsession-id, CSRF token and Nxsrf tokens) would be needed. The attack can only be performed by an internal user.
Affected products and versions
Product |
Versions |
|---|---|
NetAct |
NetAct 20, NetAct 22 |
Mitigation plan
Fix has been provided on top of NetAct 22
Acknowledgements
- Vladimir Razov from Positive Technologies
- Aleksandr Ustinov from Positive Technologies
References
Change history: Initial version is published on 28-02-2023