6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
40.5%
Nokia
Vulnerable software
NetAct v 20.1
Severity level
Severity level: Medium
Impact: Stored Cross-Site Scripting (XSS)
Access Vector: Remote
CVSS v3.1
Base Score: 5,0
Vector: (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N/MAV:L/MAC:H/MPR:L/MUI:R/MS:C/MC:L/MI:L/MA:L)
CVE-2023-26059
Vulnerability description:
Since the Site Configuration tool has an upload option, it doesnβt validate the file contents. An attacker can upload a Zip file which, when processed, exploits Stored XSS. The attack can only be performed by an internal user. NetAct 22 SP1037 is already delivered on top of NetAct 22 FP2208, SP package would be delivered on request for other releases.
Advisory status
10.10.2022 - Vendor gets vulnerability details
Credits
The vulnerability was detected by Vladimir Razov and Aleksandr Ustinov (Positive Technologies)