CVE-2021-35486 in Impact
Summary
by MITRE • 03/03/2026
A Cross-Site Request Forgery (CSRF) vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie is validated.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/13/2026
This cross-site request forgery vulnerability exists within Nokia IMPACT version 19.11.2.10-20210118042150283 and earlier releases, presenting a critical security risk that enables remote attackers to execute unauthorized configuration changes. The flaw specifically affects the /ui/rest-proxy/entity/import endpoint where the application fails to validate either the X-CSRF-NONCE HTTP header or the CSRF-NONCE cookie that should serve as protective mechanisms against cross-site request forgery attacks. This absence of validation creates a pathway for attackers to craft malicious requests that can be executed on behalf of authenticated users without their knowledge or consent.
The technical implementation of this vulnerability stems from the application's insufficient session validation mechanisms within its REST API endpoints. When a user accesses the import functionality, the system should verify that the request originates from a legitimate source by checking the presence and validity of CSRF tokens stored in either HTTP headers or cookies. However, the absence of this validation allows an attacker to construct specially crafted requests that can manipulate the application's configuration state. This particular endpoint represents a high-value target because it controls the import functionality which can overwrite the entire application configuration, potentially leading to complete system compromise or service disruption.
The operational impact of this vulnerability extends beyond simple data manipulation as it provides attackers with the capability to fundamentally alter the application's operational parameters and security settings. An attacker who successfully exploits this vulnerability could overwrite critical configuration files, disable security features, modify user access controls, or even inject malicious code into the system. The ability to import and overwrite the entire application configuration means that the attacker could essentially take control of the system's operational behavior and potentially render it unusable or compromise its security posture entirely. This vulnerability particularly affects enterprise environments where Nokia IMPACT systems manage critical infrastructure components.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications. The flaw also maps to ATT&CK technique T1566.001, which covers the use of credential stuffing and session hijacking techniques that can be employed to exploit such vulnerabilities. Organizations utilizing Nokia IMPACT systems should implement immediate mitigations including the enforcement of proper CSRF token validation mechanisms, implementation of additional request origin verification checks, and consideration of rate limiting on configuration change endpoints. The recommended remediation approach involves ensuring that all sensitive endpoints validate the presence and integrity of CSRF tokens through both header and cookie mechanisms, while also implementing proper access controls and monitoring for unauthorized configuration changes.