Vulnerability Description
The ACEManager component of ALEOS 4.16 and earlier does not validate uploaded file names and types, which could potentially allow an authenticated user to perform client-side script execution within ACEManager, altering the device functionality until the device is restarted.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sierrawireless | Aleos | <= 4.16.0 |
| Sierrawireless | Es450 | - |
| Sierrawireless | Gx450 | - |
| Sierrawireless | Lx40 | - |
| Sierrawireless | Lx60 | - |
| Sierrawireless | Mp70 | - |
| Sierrawireless | Rv50X | - |
| Sierrawireless | Rv55 | - |
Related Weaknesses (CWE)
References
- https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-tVendor Advisory
- https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-tVendor Advisory
FAQ
What is CVE-2023-40460?
CVE-2023-40460 is a vulnerability with a CVSS score of 7.1 (HIGH). The ACEManager component of ALEOS 4.16 and earlier does not validate uploaded file names and types, which could potentially allow an authenticated user to perform client-side script ex...
How severe is CVE-2023-40460?
CVE-2023-40460 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-40460?
Check the references section above for vendor advisories and patch information. Affected products include: Sierrawireless Aleos, Sierrawireless Es450, Sierrawireless Gx450, Sierrawireless Lx40, Sierrawireless Lx60.