CVE Vulnerability

CVE-2022-28866

Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. It does not properly validate requests for access to (or editing of) data and functionality in all endpoints under /#settings/* and /api/settings/*. By not verifying the permissions for access to resources, it allows a potential attacker to view pages, with sensitive data, that are not allowed, and modify system configurations also causing DoS, which should be accessed only by user with administration profile, bypassing all controls (without checking for user identity).

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.gruppotim.it/it/footer/red-team.html Exploit Third Party Advisory
https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:o:nokia:airframe_bmc_web_gui_r18_firmware:*:*:*:*:*:*:*:*
Information

Published : 2022-10-12 12:15

Updated : 2022-10-13 02:58

NVD link : CVE-2022-28866

Mitre link : CVE-2022-28866

Products Affected
No products.
CWE
CWE-863