8.8

CVE-2022-28866

Exploit

EPSS 0.03%
Published 12.10.2022 00:15:10
Last modified 21.11.2024 06:58:05
Source cve@mitre.org
Teams watchlist Login
Open Login

Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. It does not properly validate requests for access to (or editing of) data and functionality in all endpoints under /#settings/* and /api/settings/*. By not verifying the permissions for access to resources, it allows a potential attacker to view pages, with sensitive data, that are not allowed, and modify system configurations also causing DoS, which should be accessed only by user with administration profile, bypassing all controls (without checking for user identity).

Affected products Warnungen 0 Metrics 2 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Nokia ≫ Airframe Bmc Web Gui R18 Firmware Version < 4.13.00

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.074

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html

Third Party Advisory

Exploit

https://www.gruppotim.it/it/footer/red-team.html

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2022-28866

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-28866

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-28866

EUVD