Vulnerability Description: Cross-Site Request Forgery (CSRF) - CWE-352
Software Version: NOKIA Imapct 19.11.2.10-20210118042150283
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-35486
CVSS:
Severity:
Credits: Francesco Giordano, Veno Eivazian, Massimiliano Brolli
A remote attacker is able to import the entire application configuration without the victim's knowledge, by enticing an authenticated admin user to visit an attacker's web page. The application fails to validate the CSRF token for a POST request. An attacker can craft an HTML page with a XMLHttpRequest function and send it to the victim. The server will not validate the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie