CVE-2022-30280

Name of the Vulnerable Software and Affected Versions Nokia NetAct version 22

Description The issue concerns a CSRF vulnerability in the /SecurityManagement/html/createuser.jsf endpoint. A remote attacker can create users with arbitrary privileges, including administrative privileges, due to the application's failure to verify a CSRF token. This can be exploited with social engineering or phishing tactics, allowing an attacker to trick users into executing unintended actions. If the victim is a normal user, a successful attack can force them to perform state-changing requests. If the victim is an administrative account, the entire web application can be compromised.

Recommendations As a temporary workaround, consider disabling access to the /SecurityManagement/html/createuser.jsf endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.