CVE-2023-40460
published 2023-12-04CVE-2023-40460: The ACEManager component of ALEOS 4.16 and earlier does not validate uploaded file names and types, which could potentially allow an authenticated user to…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.48%
38.0th percentile
The ACEManager
component of ALEOS 4.16 and earlier does not
validate uploaded
file names and types, which could potentially allow
an authenticated
user to perform client-side script execution within
ACEManager, altering
the device functionality until the device is
restarted.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sierrawireless | aleos | <= 4.16.0 | — |
| sierrawireless | aleos | 4.10 – 4.16 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Sierra Wireless AirLink with ALEOS firmware
cisa_ics·2023-12-07·CVSS 7.5
[HIGH] Sierra Wireless AirLink with ALEOS firmware
ICS Advisory
##
Sierra Wireless AirLink with ALEOS firmware
Release DateDecember 07, 2023
Alert CodeICSA-23-341-06
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Sierra Wireless
- Equipment: AirLink
- Vulnerabilities: Infinite Loop, NULL Pointer Dereference, Cross-site Scripting, Reachable Assertion, Use of Hard-coded Credentials, Use of Hard-coded Cryptographic Key
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution to take full control of the device, steal credentials through a cross site scripting attack, or crash the device being accessed through a denial-of-service attack.
## 3. TECHNICAL DETAILS
## 3.1 AFFEC
GHSA
GHSA-fv86-7h6v-h3qg: The ACEManager
component of ALEOS 4
ghsa_unreviewed·2023-12-05
CVE-2023-40460 [HIGH] CWE-434 GHSA-fv86-7h6v-h3qg: The ACEManager
component of ALEOS 4
The ACEManager
component of ALEOS 4.16 and earlier does not
validate uploaded
file names and types, which could potentially allow
an authenticated
user to perform client-side script execution within
ACEManager, altering
the device functionality until the device is
restarted.
No detection rules found.
No public exploits indexed.
2023-12-04
Published