8.8
CWE
94 20 352
Advisory Published
Updated

CVE-2023-26060: Code Injection

First published: Mon Apr 24 2023(Updated: )

An issue was discovered in Nokia NetAct before 22 FP2211. On the Working Set Manager page, users can create a Working Set with a name that has a client-side template injection payload. Input validation is missing during creation of the working set. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
Nokia NetAct<20.1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2023-26060?

    CVE-2023-26060 is a vulnerability in Nokia NetAct before 22 FP2211 that allows for client-side template injection.

  • What is the severity of CVE-2023-26060?

    CVE-2023-26060 has a severity rating of 8.8 (high).

  • How does CVE-2023-26060 affect Nokia NetAct?

    CVE-2023-26060 affects Nokia NetAct versions up to and excluding 22 FP2211.

  • How can an external attacker exploit CVE-2023-26060?

    Due to missing input validation, an external attacker can exploit CVE-2023-26060 by creating a Working Set with a name that includes a client-side template injection payload.

  • Where can I find more information about CVE-2023-26060?

    You can find more information about CVE-2023-26060 on the Nokia website and the PT Security Threatscape report.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203