CVE-2022-28865

Name of the Vulnerable Software and Affected Versions Nokia NetAct version 22

Description An issue was discovered in the Site Configuration Tool website section, where a malicious user can change the filename of an uploaded file to include JavaScript code. This code is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. The API endpoint "/netact/sct" with the filename parameter is used for this purpose.

Recommendations For Nokia NetAct version 22, consider disabling the ability to upload files through the Site Configuration Tool website section until a patch is available. Restrict access to the "/netact/sct" API endpoint to minimize the risk of exploitation. Avoid using the filename parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.