Positive TechnologiesPT-2022-04PT-2022-04: Cross Site Template Injection (CSTI)
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
45.2%
PT-2022-04: Cross Site Template Injection (CSTI)
Nokia
Vulnerable software
NetAct v 20.1
Severity level
Severity level: Medium
Impact: Cross Site Template Injection (CSTI)
Access Vector: Remote
CVSS v3.1
Base Score: 5,0
Vector: (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N/MAV:L/MAC:H/MPR:L/MUI:R/MS:C/MC:L/MI:L/MA:L)
CVE-2023-26060
Vulnerability description:
Input validation was missing while creating the working set, in working set manager application. Nokia NetAct users can create a Working Set with a name that injects a client-side template Injection payloads. The attack can only be performed by an internal user. The vulnerability is fixed in NetAct 22 FP2211 and onwards.
Advisory status
10.10.2022 - Vendor gets vulnerability details
Credits
The vulnerability was detected by Vladimir Razov and Aleksandr Ustinov (Positive Technologies)
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
45.2%