CVE-2022-28864

Name of the Vulnerable Software and Affected Versions Nokia NetAct version 22

Description An issue was discovered in the Administration of Measurements website section, where a malicious user can edit or add the templateName parameter to include malicious code. This code is then downloaded as a .csv or .xlsx file and executed on a victim machine. The issue involves the "/aom/html/EditTemplate.jsf" and "/aom/html/ViewAllTemplatesPage.jsf" API endpoints, where the templateName parameter is used.

Recommendations For Nokia NetAct version 22, as a temporary workaround, consider restricting access to the "/aom/html/EditTemplate.jsf" and "/aom/html/ViewAllTemplatesPage.jsf" API endpoints to minimize the risk of exploitation. Avoid using the templateName parameter in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.