Impact
CVE-2021-35485
HIGH
Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload server-side executable files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an existing one.
AnalysisAI
Impact versions up to 19.11.2.10-20210118042150283 is affected by unrestricted upload of file with dangerous type (CVSS 8.0).
Technical ContextAI
This vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) affects Impact. The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload server-side executable files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an existing one.
RemediationAI
Monitor vendor advisories for a patch. Validate file types by content. Store uploads outside web root.
Nokia IMPACT < 18A: An unrestricted File Upload vulnerability was found that may lead to Remote Code Execution. Rated hi
Nokia IMPACT < 18A: has Reflected self XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable
Nokia IMPACT < 18A has path traversal that may lead to RCE if chained with CVE-2019-1743. Rated medium severity (CVSS 5.
Nokia IMPACT < 18A: allows full path disclosure. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploi
Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL
Impact versions up to 19.11.2.10-20210118042150283 is affected by cross-site scripting (xss) (CVSS 4.1).
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today