Client-Side Template Injection in Nokia NetAct
CVE-2023-26060

8.8HIGH

Key Information:

Vendor: Nokia
Status: Netact
Vendor: CVE Published:; 24 April 2023

Summary

A vulnerability exists in Nokia NetAct that allows internal users to create a Working Set with malicious client-side template injection payloads. This issue is due to insufficient input validation during the creation of Working Sets on the Working Set Manager page. Although external exploitation is challenging due to required dynamic parameters like Jsession-id, a CSRF token, and an Nxsrf token, the risk remains significant within internal environments.

References

https://nokia.com

https://www.ptsecurity.com/ww-en/analytics/threatscape/pt...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 24, 2023
Vulnerability Reserved
Feb 19, 2023