CVE-2023-26061

Name of the Vulnerable Software and Affected Versions Nokia NetAct versions prior to 22 FP2211

Description The issue is related to insufficient protection of the web page structure when creating tasks. It allows an attacker to perform cross-site scripting (XSS) attacks by injecting scripts. The vulnerability can be exploited on the Scheduled Search tab under the Alarm Reports Dashboard page, where users can create a script to inject XSS due to missing input validation during the creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Recommendations For Nokia NetAct versions prior to 22 FP2211, update to version 22 FP2211 or later to resolve the issue. As a temporary workaround, consider restricting access to the Scheduled Search tab under the Alarm Reports Dashboard page to minimize the risk of exploitation. Additionally, restrict the ability to create scripts that can inject XSS on this page until the issue is resolved.