CVE-2022-28865

low-risk
Published 2023-07-24

An issue was discovered in Nokia NetAct 22 through the Site Configuration Tool website section. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used.

Do I need to act?

-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Netact

Affected Vendors

Nokia

References (4)

Exploit https://www.gruppotim.it/it/footer/red-team.html
Not Applicable https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html
Exploit https://www.gruppotim.it/it/footer/red-team.html
Not Applicable https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal