CVE-2023-31044
Published: 03 March 2026
Summary
CVE-2023-31044 is a low-severity Code Injection (CWE-94) vulnerability in Nokia Impact Mobile. Its CVSS base score is 2.0 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-31044 is a code injection vulnerability (CWE-94) discovered in Nokia Impact versions before Mobile 23_FP1, specifically affecting Impact DM 19.11 and later. A remote authenticated user can exploit the Add Campaign functionality by injecting a malicious payload into the Campaign Name field. This payload persists in data exported to a CSV file, with a CVSS v3.1 base score of 2.0 (AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N), indicating low severity due to high attack complexity, required privileges, and user interaction.
Exploitation requires a remote authenticated user with high privileges (PR:H) to create a campaign with the injected payload. When an authorized user exports campaigns to CSV and opens the file in spreadsheet software, the payload in the populated data fields may trigger automatic execution, potentially leading to low-impact confidentiality breaches such as data exfiltration or other malicious activities.
Mitigation details are outlined in advisories available at https://nokia.com and https://www.gruppotim.it/it/footer/red-team/2023/Motive-Impact-CVE-2023-31044.html. Affected systems should be upgraded to Nokia Impact Mobile 23_FP1 or later to address the issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-35381
Vulnerability details
An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. This data can be exported to a…
more
CSV file. Attackers can populate data fields that may attempt data exfiltration or other malicious activity when automatically executed by the spreadsheet software.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct code injection into web app field (T1190) that persists into exported CSV, enabling execution on victim open of malicious file (T1204.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation on the Campaign Name input field to reject malicious payloads before they are stored and later exported.
Requires timely application of the vendor patch (Impact Mobile 23_FP1) that eliminates the injection flaw in the Add Campaign function.
Filters or sanitizes campaign data on CSV export so that spreadsheet formulas or payloads cannot be automatically executed by the receiving application.