CVE-2023-31044
Published: 03 March 2026
Summary
CVE-2023-31044 is a low-severity Code Injection (CWE-94) vulnerability in Nokia Impact Mobile. Its CVSS base score is 2.0 (Low).
Operationally, ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.
NVD Description
An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. This data can be exported to a…
more
CSV file. Attackers can populate data fields that may attempt data exfiltration or other malicious activity when automatically executed by the spreadsheet software.
Deeper analysisAI
CVE-2023-31044 is a code injection vulnerability (CWE-94) discovered in Nokia Impact versions before Mobile 23_FP1, specifically affecting Impact DM 19.11 and later. A remote authenticated user can exploit the Add Campaign functionality by injecting a malicious payload into the Campaign Name field. This payload persists in data exported to a CSV file, with a CVSS v3.1 base score of 2.0 (AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N), indicating low severity due to high attack complexity, required privileges, and user interaction.
Exploitation requires a remote authenticated user with high privileges (PR:H) to create a campaign with the injected payload. When an authorized user exports campaigns to CSV and opens the file in spreadsheet software, the payload in the populated data fields may trigger automatic execution, potentially leading to low-impact confidentiality breaches such as data exfiltration or other malicious activities.
Mitigation details are outlined in advisories available at https://nokia.com and https://www.gruppotim.it/it/footer/red-team/2023/Motive-Impact-CVE-2023-31044.html. Affected systems should be upgraded to Nokia Impact Mobile 23_FP1 or later to address the issue.
Details
- CWE(s)