CVE-2023-40460

Published: Dec 4, 2023Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

The ACEManager component of ALEOS 4.16 and earlier does not validate uploaded file names and types, which could potentially allow an authenticated user to perform client-side script execution within ACEManager, altering the device functionality until the device is restarted.

Affected (1)

Products: Sierrawireless: Aleos

Sierrawireless

1 product

Aleos

Configuration A

1 vulnerable · 7 platform

Vulnerable Software	Affected Versions
Sierrawireless Aleos	Up to 4.16.0

Running on/with	Platform Versions
Sierrawireless Es450	All versions
Sierrawireless Gx450	All versions
Sierrawireless Lx40	All versions
Sierrawireless Lx60	All versions
Sierrawireless Mp70	All versions
Sierrawireless Rv50x	All versions
Sierrawireless Rv55	All versions

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.5ZcnyPM1.dpbs

Source: security@sierrawireless.com

Vendor Advisory

https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.5ZcnyPM1.dpbs

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.