CVE-2023-40461Cross-site Scripting in Aleos

CWE-79Cross-site Scripting4 documents4 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 98.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Sierrawireless Aleos
Timeline
PublishedDec 4
Latest updateDec 7

Description

The ACEManager component of ALEOS 4.16 and earlier allows an authenticated user with Administrator privileges to access a file upload field which does not fully validate the file name, creating a Stored Cross-Site Scripting condition.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

CVEListV5sierrawireless/aleos4.104.16

🔴Vulnerability Details

1
GHSA
GHSA-78cf-35f9-pxqf: The ACEManager component of ALEOS 42023-12-05

📋Vendor Advisories

1
CISA ICS
Sierra Wireless AirLink with ALEOS firmware2023-12-07

🕵️Threat Intelligence

1
Bleepingcomputer
"Sierra:21" vulnerabilities impact critical infrastructure routers2023-12-06
CVE-2023-40461 — Cross-site Scripting in Aleos | cvebase