Nokia IMPACT allows authenticated users to upload and execute JavaScript

Summary

A vulnerability in Nokia IMPACT allows an authenticated user to upload and run malicious JavaScript code, which can be executed by other users who visit the affected page. This could potentially allow an attacker to take control of the system or steal sensitive information. To protect against this, update Nokia IMPACT to the latest version or restrict access to the affected feature.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
nokia	impact	<= 19.11.2.10-20210118042150283	–

Original title

The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileup...

Original description

The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an existing one. If an authenticated user visits the web page where the file is published, the JavaScript code is executed.

nvd CVSS3.1 4.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://www.gruppotim.it/it/footer/red-team/2021/Motive-Impact-CVE-2021-35483.ht... Third Party Advisory
https://www.nokia.com/networks/solutions/impact-iot-platform/ Product
https://www.nokia.com/notices/responsible-disclosure/ Issue Tracking