La nuova immagine di TIM
Una nuova immagine con uno stile dinamico, colori moderni e persone che occupano quasi interamente la scena. Scopri di più
Presentazione dei Risultati H1 2025
Vai alla pagina
La Sostenibilità per TIM
Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci
Ultimi Comunicati Stampa
Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati
Vulnerability Description: Unrestricted Upload of File with Dangerous Type – CWE-434
Software Version: v22.0.0.62
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-28863
CVSv3: 8.8
Severity: High
Credits: Andrea Carlo Maria Dattola, Raffaella Robles, Massimiliano Brolli
An issue was discovered in Nokia NetAct 22. A remote user, authenticated to the website, can visit the Site Configuration Tool section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value.
Step-by-step instructions and PoC
A remote user, authenticated to the NOKIA NetAct Web Page, through Site Configuration Tool web site section, can arbitrary upload potentially dangerous files without restrictions
Affected Endpoints
· URL: https://hostname/netact/sct
· HTTP Parameter: operation, dir
Below are the evidences with the vulnerability details and the payloads used.
Payload used to exploit the vulnerability:
This first step consists in the successful arbitrary uploading of a file exploiting the affected URL inside the machine. In the specific casa it has been uploaded a text file containing the EICAR test string, which aims to simulate a malware that is recognized from all Antivirus solutions.
In next picture it is possible to see that file has been successfully uploaded.
For further information about EICAR: https://www.eicar.org/?page_id=3950
Security Impact
This vulnerability would allow an attacker to exploit the platform by injecting malware and, under certain conditions, to execute code in the remote machine.
Vulnerability Description: Unrestricted Upload of File with Dangerous Type – CWE-434
Software Version: v22.0.0.62
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-28863
CVSv3: 8.8
Severity: High
Credits: Andrea Carlo Maria Dattola, Raffaella Robles, Massimiliano Brolli
An issue was discovered in Nokia NetAct 22. A remote user, authenticated to the website, can visit the Site Configuration Tool section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value.
Step-by-step instructions and PoC
A remote user, authenticated to the NOKIA NetAct Web Page, through Site Configuration Tool web site section, can arbitrary upload potentially dangerous files without restrictions
Affected Endpoints
· URL: https://hostname/netact/sct
· HTTP Parameter: operation, dir
Below are the evidences with the vulnerability details and the payloads used.
Payload used to exploit the vulnerability:
This first step consists in the successful arbitrary uploading of a file exploiting the affected URL inside the machine. In the specific casa it has been uploaded a text file containing the EICAR test string, which aims to simulate a malware that is recognized from all Antivirus solutions.
In next picture it is possible to see that file has been successfully uploaded.
For further information about EICAR: https://www.eicar.org/?page_id=3950
Security Impact
This vulnerability would allow an attacker to exploit the platform by injecting malware and, under certain conditions, to execute code in the remote machine.