CVE-2023-40460 — Cross-site Scripting in Aleos

CWE-79 — Cross-site Scripting CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 99.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sierrawireless Aleos

Timeline

PublishedDec 4

Latest updateDec 7

Description

The ACEManager component of ALEOS 4.16 and earlier does not validate uploaded file names and types, which could potentially allow an authenticated user to perform client-side script execution within ACEManager, altering the device functionality until the device is restarted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sierrawireless/aleos4.10 — 4.16

▶NVDsierrawireless/aleos4.16.0

🔴Vulnerability Details

GHSA

GHSA-fv86-7h6v-h3qg: The ACEManager component of ALEOS 4↗2023-12-05

▶

📋Vendor Advisories

CISA ICS

Sierra Wireless AirLink with ALEOS firmware↗2023-12-07

▶

🕵️Threat Intelligence

Bleepingcomputer

"Sierra:21" vulnerabilities impact critical infrastructure routers↗2023-12-06

▶