How to fix CVE-2021-35484?

Within 24 hours: Disable or restrict access to the /ui/rest-proxy/campaign/statistic endpoint via WAF rules and network controls. Within 7 days: Audit access logs for suspicious sortColumn parameter activity and implement strict input validation. Within 30 days: Contact Nokia for patch availability, plan upgrade path to patched version, and enforce principle of least privilege for campaign statistic access.

Is Impact affected by CVE-2021-35484?

Nokia IMPACT users face a critical SQL injection vulnerability that allows authenticated attackers to extract sensitive campaign data without detection.

CVE-2021-35484

HIGH

2026-03-03 [email protected]

8.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:05 vuln.today

CVE Published

Mar 03, 2026 - 18:16 nvd

HIGH 8.2

Description

Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the View Campaign page) via the sortColumn HTTP GET parameter. This allows an attacker to access sensitive data from the database and obtain access to the database user, database name, and database version information.

Analysis

Technical Context

Classified as CWE-89 (SQL Injection). Affects the sortColumn HTTP GET component of Impact. Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the View Campaign page) via the sortColumn HTTP GET parameter. This allows an attacker to access sensitive data from the database and obtain access to the database user, database name, and database version information.

Affected Products

Vendor: Nokia. Product: Impact. Versions: up to 19.11.2.10-20210118042150283. Component: sortColumn HTTP GET.

Remediation

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +41

POC: 0

CVE-2021-35484 vulnerability details – vuln.today

Back

CVE-2021-35484

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2021-35484

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code