Vulnerability Description
Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. It does not properly validate requests for access to (or editing of) data and functionality in all endpoints under /#settings/* and /api/settings/*. By not verifying the permissions for access to resources, it allows a potential attacker to view pages, with sensitive data, that are not allowed, and modify system configurations also causing DoS, which should be accessed only by user with administration profile, bypassing all controls (without checking for user identity).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nokia | Airframe Bmc Web Gui R18 Firmware | < 4.13.00 |
Related Weaknesses (CWE)
References
- https://www.gruppotim.it/it/footer/red-team.htmlExploitThird Party Advisory
- https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.htmlExploitThird Party Advisory
- https://www.gruppotim.it/it/footer/red-team.htmlExploitThird Party Advisory
- https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.htmlExploitThird Party Advisory
FAQ
What is CVE-2022-28866?
CVE-2022-28866 is a vulnerability with a CVSS score of 8.8 (HIGH). Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. It does not properly validate requests for access to (or editing of) data and functionality in al...
How severe is CVE-2022-28866?
CVE-2022-28866 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-28866?
Check the references section above for vendor advisories and patch information. Affected products include: Nokia Airframe Bmc Web Gui R18 Firmware.