XML External Entity Attack in Nokia NetAct Configuration Dashboard
CVE-2023-26057

6.5MEDIUM

Key Information:

Vendor: Nokia
Status: Netact
Vendor: CVE Published:; 25 April 2023

What is CVE-2023-26057?

An XML External Entity (XXE) vulnerability has been identified in Nokia's NetAct product prior to version 22 FP2211. This issue arises due to inadequate input validation and improper configuration of the XML parser on the Configuration Dashboard page. Although the exploitation of this vulnerability is notably challenging for external attackers—who would need to navigate dynamically generated parameters such as Jsession-id, CSRF token, and Nxsrf token—internal users may have a plausible attack vector, making it critical for organizations to secure internal access.

References

https://nokia.com

https://www.ptsecurity.com/ww-en/analytics/threatscape/pt...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 25, 2023
Vulnerability Reserved
Feb 19, 2023