CVE-2023-26061
Stored Cross-Site Scripting (XSS) Vulnerability in Nokia NetAct
Public disclosure |
28-02-2023 |
|---|---|
Last updated |
28-02-2023 |
Vulnerability type |
Cross-Site Scripting (XSS) |
CVSS vector |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N |
CVSS score |
6.8 |
Description
In NetAct working set manager, input validation is not properly implemented in creating a schedule task in alarm reports dashboard function. This vulnerability may result in injecting XSS by a creating a malicious script on the scheduled search tab under alarm reports dashboard page.
This vulnerability is very difficult to be exploited from external, because a few dynamically created parameters (e.g. Jsession-id, CSRF token and Nxsrf tokens) would be needed. The attack can only be performed by an internal user.
Affected products and versions
Product |
Versions |
|---|---|
NetAct |
NetAct 20, NetAct 22 |
Mitigation plan
Fix has been provided on top of NetAct 22
Acknowledgements
- Vladimir Razov from Positive Technologies
- Aleksandr Ustinov from Positive Technologies
References
Change history: Initial version is published on 28-02-2023