PT-2021-17069 · Nokia · Nokia Netact

Andrea Carlo Maria Dattola

Published

2021-03-25

Updated

2021-10-02

CVE-2021-26596

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Nokia NetAct version 18A

Description A malicious user can modify the filename of an uploaded file to include JavaScript code. This code is then stored and executed by a victim's web browser. The issue can be exploited by including malicious content as a parameter in a URL, which is then posted publicly or e-mailed to victims. Specifically, the /netact/sct API endpoint is used, with the filename parameter being vulnerable.

Recommendations For Nokia NetAct version 18A, consider disabling the ability to upload files or restricting access to the /netact/sct API endpoint until a fix is available. Additionally, avoid using the filename parameter in the affected API endpoint to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-26596

Affected Products

Nokia Netact

PT-2021-17069 · Nokia · Nokia Netact

CVE-2021-26596

Weakness Enumeration

Related Identifiers

Affected Products

References · 5