Lucene search

SWICVELIST:CVE-2023-40460

HistoryDec 04, 2023 - 10:50 p.m.

CVE-2023-40460 Improper input leads to DoS

2023-12-0422:50:04

CWE-434

CWE-79

SWI

www.cve.org

acemanager

aleos 4.16

dos

authenticated user

client-side script execution

device functionality

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

18.2%

JSON

The ACEManager
component of ALEOS 4.16 and earlier does not

validate uploaded
file names and types, which could potentially allow

an authenticated
user to perform client-side script execution within

ACEManager, altering
the device functionality until the device is

restarted.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "ALEOS",
    "vendor": "SierraWireless",
    "versions": [
      {
        "lessThanOrEqual": "4.16",
        "status": "affected",
        "version": "4.10",
        "versionType": "Custom"
      },
      {
        "lessThanOrEqual": "4.9.8",
        "status": "affected",
        "version": "0",
        "versionType": "Custom"
      }
    ]
  }
]

References

source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.5ZcnyPM1.dpbs

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

18.2%

JSON

Related for CVELIST:CVE-2023-40460