Lucene search

K
cve[email protected]CVE-2023-40460
HistoryDec 04, 2023 - 11:15 p.m.

CVE-2023-40460

2023-12-0423:15:25
CWE-79
CWE-434
web.nvd.nist.gov
9
cve-2023-40460
aleos
acemanager
file validation
client-side script execution
device functionality
authenticated user
security vulnerability

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

5.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.2%

The ACEManager
component of ALEOS 4.16 and earlier does not

validate uploaded
file names and types, which could potentially allow

an authenticated
user to perform client-side script execution within

ACEManager, altering
the device functionality until the device is

restarted.

Affected configurations

NVD
Node
sierrawirelessaleosRange4.16.0
AND
sierrawirelesses450Match-
OR
sierrawirelessgx450Match-
OR
sierrawirelesslx40Match-
OR
sierrawirelesslx60Match-
OR
sierrawirelessmp70Match-
OR
sierrawirelessrv50xMatch-
OR
sierrawirelessrv55Match-

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "ALEOS",
    "vendor": "SierraWireless",
    "versions": [
      {
        "lessThanOrEqual": "4.16",
        "status": "affected",
        "version": "4.10",
        "versionType": "Custom"
      },
      {
        "lessThanOrEqual": "4.9.8",
        "status": "affected",
        "version": "0",
        "versionType": "Custom"
      }
    ]
  }
]

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

5.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.2%

Related for CVE-2023-40460