CVE-2021-35483 in Impact
Summary
by MITRE • 03/03/2026
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an existing one. If an authenticated user visits the web page where the file is published, the JavaScript code is executed.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/04/2026
The vulnerability identified as CVE-2021-35483 affects the Nokia IMPACT applications component version 19.11.2.10 and earlier, presenting a critical security flaw that enables authenticated users to perform arbitrary file uploads. This vulnerability specifically targets the /ui/rest-proxy/application fileupload parameter, which operates during both the creation and modification processes of applications within the system. The flaw stems from inadequate input validation and file type restrictions, allowing malicious actors with valid credentials to bypass security controls and upload potentially harmful JavaScript files to the server. The vulnerability falls under CWE-434, which addresses the insecure upload of code or files, and represents a classic server-side file upload vulnerability that can lead to remote code execution or cross-site scripting attacks. The affected system processes these uploaded files without proper sanitization, creating a pathway for attackers to execute malicious code within the context of the victim's browser session.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it creates a persistent threat vector that can be exploited to compromise entire user sessions and potentially gain deeper access to the underlying system. When an authenticated user navigates to a web page containing the uploaded JavaScript file, the code executes automatically within their browser, potentially leading to session hijacking, credential theft, or further exploitation through techniques such as cross-site request forgery. This vulnerability directly aligns with ATT&CK technique T1059.007 for JavaScript execution and T1566 for credential access through social engineering. The attack surface is particularly concerning because the vulnerability can be triggered during normal application management activities, making it difficult to detect and potentially allowing attackers to remain undetected while establishing persistent access. The exploitation requires only valid authentication credentials, which significantly reduces the attack complexity and increases the likelihood of successful compromise.
Mitigation strategies for CVE-2021-35483 should focus on implementing robust input validation and file type restrictions at the application level, ensuring that only authorized file types are accepted during upload operations. Organizations should enforce strict file extension filtering, implement proper content type validation, and employ additional security measures such as file signature verification to prevent execution of malicious code. The system should also implement proper access controls and monitoring mechanisms to detect unauthorized file uploads, including logging and alerting on suspicious upload activities. Network segmentation and web application firewalls can provide additional layers of protection by monitoring and filtering traffic patterns associated with file upload operations. Patch management procedures should be implemented to ensure timely updates to the Nokia IMPACT system, with particular attention to the specific version mentioned in the vulnerability description. Security awareness training for administrators and users can help reduce the risk of exploitation through social engineering or privilege abuse, while regular security audits and penetration testing should be conducted to identify similar vulnerabilities in related systems and prevent potential lateral movement within the network infrastructure.