First published: Mon Apr 24 2023(Updated: )
An issue was discovered in Nokia NetAct before 22 FP2211. On the Working Set Manager page, users can create a Working Set with a name that has a client-side template injection payload. Input validation is missing during creation of the working set. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Nokia NetAct | <20.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-26060 is a vulnerability in Nokia NetAct before 22 FP2211 that allows for client-side template injection.
CVE-2023-26060 has a severity rating of 8.8 (high).
CVE-2023-26060 affects Nokia NetAct versions up to and excluding 22 FP2211.
Due to missing input validation, an external attacker can exploit CVE-2023-26060 by creating a Working Set with a name that includes a client-side template injection payload.
You can find more information about CVE-2023-26060 on the Nokia website and the PT Security Threatscape report.