Boolean Blind SQL Injection Vulnerability in Nokia Broadcast Message Center
CVE-2021-35487

6.5MEDIUM

Key Information:

Vendor: Nokia
Status: Broadcast Message Center
Vendor: CVE Published:; 25 May 2022

What is CVE-2021-35487?

The Nokia Broadcast Message Center, up to version 11.1.0, contains a vulnerability that allows an authenticated user to execute a Boolean Blind SQL Injection attack. This occurs on the endpoint /owui/block/send-receive-updates, particularly on the Manage Alerts page via the extIdentifier HTTP POST parameter. Successful exploitation can reveal sensitive information such as the database user, database name, version details, and potentially expose data residing in the database.

References

https://www.nokia.com/notices/responsible-disclosure/

x_refsource_MISC

https://www.gruppotim.it/it/footer/red-team.html

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2022
Vulnerability Reserved
Jun 24, 2021

CVE-2021-35487 Data

JSON