La nuova immagine di TIM
Una nuova immagine con uno stile dinamico, colori moderni e persone che occupano quasi interamente la scena. Scopri di più
Presentazione dei Risultati H1 2025
Vai alla pagina
La Sostenibilità per TIM
Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci
Ultimi Comunicati Stampa
Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati
Vulnerability Description: Improper Neutralization of Directives in Dynamically Evaluated Code – CWE-95
Software Version: v9.7.05
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-41763
CVSv3: 8.8
Severity: High
Credits: Claudio Jacomelli, Sebastiano Lanzarotto, Massimiliano Brolli
An issue was discovered in NOKIA AMS 9.7.05. Remote Code Execution exists via the debugger of the ipAddress variable. A remote user, authenticated to the AMS server, could inject code in the PING function. The privileges of the command executed depend on the user that runs the service.
Step-by-step instructions and PoC
A remote user, authenticated to the AMS server, could inject code in the PING function
Affected Endpoints
· Server: AMS
· Function: PING Test
Below are the evidences with the vulnerability details and the payloads used.
The step to achieve the vulnerability consist in a simple modification via debugger of the ipAddress variable. This is needed because the frontend application manage to sanitize the content.
Security Impact
The vulnerability lead to execute code on the server machine in which the user is logged in. The privilege of the command executed depends on the user that run the service.