Vulnerability Description
An exploitable cross-site request forgery vulnerability exists in the ACEManager functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests being requested through an authenticated user. An attacker can get an authenticated user to request authenticated pages on the attacker's behalf to trigger this vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sierrawireless | Airlink Es450 Firmware | 4.9.3 |
| Sierrawireless | Airlink Es450 | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/152651/Sierra-Wireless-AirLink-ES450-ACEMan
- http://www.securityfocus.com/bid/108147
- https://ics-cert.us-cert.gov/advisories/ICSA-19-122-03
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0751ExploitThird Party Advisory
- http://packetstormsecurity.com/files/152651/Sierra-Wireless-AirLink-ES450-ACEMan
- http://www.securityfocus.com/bid/108147
- https://ics-cert.us-cert.gov/advisories/ICSA-19-122-03
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0751ExploitThird Party Advisory
FAQ
What is CVE-2018-4066?
CVE-2018-4066 is a vulnerability with a CVSS score of 8.8 (HIGH). An exploitable cross-site request forgery vulnerability exists in the ACEManager functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an authenticated us...
How severe is CVE-2018-4066?
CVE-2018-4066 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-4066?
Check the references section above for vendor advisories and patch information. Affected products include: Sierrawireless Airlink Es450 Firmware, Sierrawireless Airlink Es450.