CVE-2023-26058

Name of the Vulnerable Software and Affected Versions Nokia NetAct versions prior to 22 FP2211

Description An XXE issue was discovered in Nokia NetAct via an XML document to a Performance Manager page, where input validation and a proper XML parser configuration are missing. This could allow an attacker to gain unauthorized access to protected information or perform an SSRF attack. For an external attacker, it is very difficult to exploit this issue, as dynamically created parameters such as Jsession-id, CSRF token, and Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Recommendations For Nokia NetAct versions prior to 22 FP2211, update to version 22 FP2211 or later to resolve the issue. As a temporary workaround, consider restricting access to the Performance Manager page and ensuring proper input validation and XML parser configuration to minimize the risk of exploitation. Restrict access to dynamically created parameters such as Jsession-id, CSRF token, and Nxsrf token to prevent unauthorized access.