Security
Headlines
HeadlinesLatestCVEs

Tag

#nokia

CVE-2023-26058: PT-2022-02: XML External Entity (XXE)

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

CVE
#csrf#vulnerability#mac#js#ssrf#nokia
CVE-2023-26059: PT-2022-03: Stored Cross-Site Scripting (XSS)

An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user.

CVE-2023-26060: PT-2022-04: Cross Site Template Injection (CSTI)

An issue was discovered in Nokia NetAct before 22 FP2211. On the Working Set Manager page, users can create a Working Set with a name that has a client-side template injection payload. Input validation is missing during creation of the working set. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

CVE-2023-26061: PT-2022-05: Stored Cross-Site Scripting (XSS)

An issue was discovered in Nokia NetAct before 22 FP2211. On the Scheduled Search tab under the Alarm Reports Dashboard page, users can create a script to inject XSS. Input validation was missing during creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Criminals Are Using Tiny Devices to Hack and Steal Cars

Apple thwarts NSO’s spyware, the rise of a GPT-4 black market, Russia targets Starlink internet connections, and more.

Nokia OneNDS 20.9 Insecure Permissions / Privilege Escalation

Nokia OneNDS 20.9 has loose sudo permissions that can allow users to escalate privileges.

Nokia OneNDS 17 Insecure Permissions / Privilege Escalation

Nokia OneNDS 17 has loose sudo permissions that can allow users to escalate privileges.

CVE-2023-21100: Android Security Bulletin—April 2023

In inflate of inflate.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-242544249

CVE-2022-20467: Android Security Bulletin—March 2023

In isBluetoothShareUri of BluetoothOppUtility.java, there is a possible incorrect file read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-225880741

The Sketchy Plan to Build a Russian Android Phone

Amid isolating sanctions, a Russian tech giant plans to launch new Android phones and tablets. But experts are skeptical the company can pull it off.