XML External Entity Injection in Nokia NetAct Software
CVE-2023-26058

6.5MEDIUM

Key Information:

Vendor: Nokia
Status: Netact
Vendor: CVE Published:; 25 April 2023

Summary

An XML External Entity Injection (XXE) vulnerability has been identified in Nokia's NetAct software prior to version 22 FP2211. This issue arises from inadequate input validation and misconfiguration of the XML parser used in the Performance Manager page. While the complexity of the attack limits its practicality to internal users, it remains a concern as it may allow an attacker with access to internal systems to craft malicious XML documents that could exploit this weakness, leading to potential exposure of sensitive data.

References

https://nokia.com

https://www.ptsecurity.com/ww-en/analytics/threatscape/pt...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 25, 2023
Vulnerability Reserved
Feb 19, 2023