Headline
CVE-2023-26059: PT-2022-03: Stored Cross-Site Scripting (XSS)
An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user.
Nokia
Vulnerable software
NetAct v 20.1
Severity level
Severity level: Medium
Impact: Stored Cross-Site Scripting (XSS)
Access Vector: Remote
CVSS v3.1
Base Score: 5,0
Vector: (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N/MAV:L/MAC:H/MPR:L/MUI:R/MS:C/MC:L/MI:L/MA:L)
CVE-2023-26059
Vulnerability description:
Since the Site Configuration tool has an upload option, it doesn’t validate the file contents. An attacker can upload a Zip file which, when processed, exploits Stored XSS. The attack can only be performed by an internal user. NetAct 22 SP1037 is already delivered on top of NetAct 22 FP2208, SP package would be delivered on request for other releases.
Advisory status
10.10.2022 - Vendor gets vulnerability details
Credits
The vulnerability was detected by Vladimir Razov and Aleksandr Ustinov (Positive Technologies)