CVE-2023-26057

Name of the Vulnerable Software and Affected Versions Nokia NetAct versions prior to 22 FP2211

Description An XXE issue was discovered via an XML document to the Configuration Dashboard page, where input validation and a proper XML parser configuration are missing. This makes it difficult for an external attacker to exploit, as dynamically created parameters such as Jsession-id, CSRF token, and Nxsrf token would be needed. The attack can realistically only be performed by an internal user. The issue is related to incorrect restriction of XML links to external objects, which may allow an attacker to gain unauthorized access to protected information or perform an SSRF attack.

Recommendations For Nokia NetAct versions prior to 22 FP2211, consider implementing proper input validation and configuring an XML parser to mitigate the risk of exploitation. As a temporary workaround, restrict access to the Configuration Dashboard page to minimize the risk of internal users exploiting this issue. Ensure that all dynamically created parameters, such as Jsession-id, CSRF token, and Nxsrf token, are properly validated and secured.