PT-2021-17070 · Nokia · Nokia Netact

Andrea Carlo Maria Dattola

Published

2021-03-25

Updated

2021-10-02

CVE-2021-26597

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Nokia NetAct version 18A

Description A remote user, authenticated to the Nokia NetAct Web Page, can upload potentially dangerous files without restrictions. This is achieved by visiting the Site Configuration Tool web site section and using the /netact/sct API endpoint with the dir parameter in conjunction with the operation=upload value.

Recommendations For Nokia NetAct version 18A, restrict access to the /netact/sct API endpoint to prevent arbitrary file uploads until a fix is available. As a temporary workaround, consider disabling the file upload functionality via the operation=upload value to minimize the risk of exploitation.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2021-26597

Affected Products

Nokia Netact

PT-2021-17070 · Nokia · Nokia Netact

CVE-2021-26597

Weakness Enumeration

Related Identifiers

Affected Products

References · 5