PT-2022-03: Stored Cross-Site Scripting (XSS) Nokia Vulnerable software NetAct v 20.1 Severity level Severity level: Medium Impact: Stored Cross-Site Scripting (XSS) Access Vector: Remote CVSS v3.1 Base Score: 5,0 Vector: (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N/MAV:L/MAC:H/MPR:L/MUI:R/MS:C/MC:L/MI:L/MA:L) CVE-2023-26059 Vulnerability description:Since the Site Configuration tool has an upload option, it doesn’t validate the file contents. An attacker can upload a Zip file which, when processed, exploits Stored XSS. The attack can only be performed by an internal user. NetAct 22 SP1037 is already delivered on top of NetAct 22 FP2208, SP package would be delivered on request for other releases. Advisory status 10.10.2022 - Vendor gets vulnerability details Credits The vulnerability was detected by Vladimir Razov and Aleksandr Ustinov (Positive Technologies)