CVE-2022-28867

Name of the Vulnerable Software and Affected Versions Nokia NetAct version 22

Description An issue was discovered in the Administration of Measurements website section, where a malicious user can edit or add the templateName parameter to include JavaScript code. This code is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. The "/aom/html/EditTemplate.jsf" and "/aom/html/ViewAllTemplatesPage.jsf" templateName parameter is used.

Recommendations As a temporary workaround, consider disabling the use of the templateName parameter in the affected API endpoints until a patch is available. Restrict access to the "/aom/html/EditTemplate.jsf" and "/aom/html/ViewAllTemplatesPage.jsf" endpoints to minimize the risk of exploitation. Avoid using the templateName parameter in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.