This page lists publicly disclosed CVE vulnerabilities affecting nokia netact (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2022-30280 | /SecurityManagement/html/createuser.jsf in Nokia NetAct 22 allows CSRF. A remote attacker is able to create users with arbitrary privileges, even administrative privileges. The application (even if it implements a CSRF token for the random GET request) does not ever verify a CSRF token. With a little help of social engineering/phishing (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim | [email protected] | 8.8 | 0.27% | 2023-07-24 | 2024-11-21 |
| CVE-2022-28867 | An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templa | [email protected] | 5.4 | 0.07% | 2023-07-24 | 2024-11-21 |
| CVE-2022-28865 | An issue was discovered in Nokia NetAct 22 through the Site Configuration Tool website section. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used. | [email protected] | 5.4 | 0.07% | 2023-07-24 | 2024-11-21 |
| CVE-2022-28864 | An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include malicious code, which is then downloaded as a .csv or .xlsx file and executed on a victim machine. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templateName parameter is used. | [email protected] | 8.8 | 0.16% | 2023-07-24 | 2024-11-21 |
| CVE-2022-28863 | An issue was discovered in Nokia NetAct 22. A remote user, authenticated to the website, can visit the Site Configuration Tool section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value. | [email protected] | 8.8 | 0.46% | 2023-07-24 | 2024-11-21 |
| CVE-2023-26058 | An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | [email protected] | 6.5 | 0.21% | 2023-04-25 | 2025-02-04 |
| CVE-2023-26057 | An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | [email protected] | 6.5 | 0.21% | 2023-04-25 | 2025-02-04 |
| CVE-2023-26059 | An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user. | [email protected] | 6.8 | 0.28% | 2023-04-24 | 2025-02-04 |
| CVE-2023-26061 | An issue was discovered in Nokia NetAct before 22 FP2211. On the Scheduled Search tab under the Alarm Reports Dashboard page, users can create a script to inject XSS. Input validation was missing during creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | [email protected] | 6.8 | 0.32% | 2023-04-24 | 2025-02-04 |
| CVE-2023-26060 | An issue was discovered in Nokia NetAct before 22 FP2211. On the Working Set Manager page, users can create a Working Set with a name that has a client-side template injection payload. Input validation is missing during creation of the working set. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | [email protected] | 6.8 | 0.35% | 2023-04-24 | 2025-02-04 |
| CVE-2021-26597 | An issue was discovered in Nokia NetAct 18A. A remote user, authenticated to the NOKIA NetAct Web Page, can visit the Site Configuration Tool web site section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value. | [email protected] | 6.5 | 0.30% | 2021-03-25 | 2024-11-21 |
| CVE-2021-26596 | An issue was discovered in Nokia NetAct 18A. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used. | [email protected] | 5.4 | 0.32% | 2021-03-25 | 2024-11-21 |