CVE-2021-35484

Name of the Vulnerable Software and Affected Versions Nokia IMPACT versions through 19.11.2.10-20210118042150283

Description An authenticated user can perform a Time-based Boolean Blind SQL Injection attack. The attack targets the /ui/rest-proxy/campaign/statistic API endpoint via the sortColumn HTTP GET parameter. Successful exploitation allows an attacker to access sensitive data from the database, including the database user, database name, and database version information.

Recommendations Versions prior to 19.11.2.10-20210118042150283 should be updated. Restrict access to the /ui/rest-proxy/campaign/statistic endpoint. Avoid using the sortColumn parameter in the affected API endpoint until the issue is resolved.