Security
Headlines
HeadlinesLatestCVEs

Tag

#nokia

CVE-2022-30759: Nokia OneNDS 20.9 Insecure Permissions

In Nokia One-NDS (aka Network Directory Server) through 20.9, some Sudo permissions can be exploited by some users to escalate to root privileges and execute arbitrary commands.

CVE
Open in Source
#vulnerability#nokia#rpm
CVE-2022-31244: Nokia OneNDS 17 Insecure Permissions

Nokia OneNDS 17r2 has Insecure Permissions vulnerability that allows for privilege escalation.

CVE-2023-26057: PT-2022-01: XML External Entity (XXE)

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

CVE-2023-26058: PT-2022-02: XML External Entity (XXE)

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

CVE-2023-26059: PT-2022-03: Stored Cross-Site Scripting (XSS)

An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user.

CVE-2023-26060: PT-2022-04: Cross Site Template Injection (CSTI)

An issue was discovered in Nokia NetAct before 22 FP2211. On the Working Set Manager page, users can create a Working Set with a name that has a client-side template injection payload. Input validation is missing during creation of the working set. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

CVE-2023-26061: PT-2022-05: Stored Cross-Site Scripting (XSS)

An issue was discovered in Nokia NetAct before 22 FP2211. On the Scheduled Search tab under the Alarm Reports Dashboard page, users can create a script to inject XSS. Input validation was missing during creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Criminals Are Using Tiny Devices to Hack and Steal Cars

Apple thwarts NSO’s spyware, the rise of a GPT-4 black market, Russia targets Starlink internet connections, and more.

Nokia OneNDS 20.9 Insecure Permissions / Privilege Escalation

Nokia OneNDS 20.9 has loose sudo permissions that can allow users to escalate privileges.

Nokia OneNDS 17 Insecure Permissions / Privilege Escalation

Nokia OneNDS 17 has loose sudo permissions that can allow users to escalate privileges.