CVE-2023-26060

Name of the Vulnerable Software and Affected Versions Nokia NetAct versions prior to 22 FP2211

Description The issue is related to the lack of input validation when creating a working set in the NetAct system, allowing an attacker to inject a client-side template payload. This can lead to the execution of arbitrary JavaScript code. The attack can be performed by an internal user, as exploiting this issue from the outside is difficult due to the need for dynamically created parameters such as Jsession-id, CSRF token, and Nxsrf token.

Recommendations For versions prior to 22 FP2211, update to version 22 FP2211 or later to resolve the issue. As a temporary workaround, consider restricting access to the Working Set Manager page to minimize the risk of exploitation. Additionally, ensure that all users are aware of the potential risk and take necessary precautions to avoid injecting malicious payloads when creating working sets.