CVE-2023-40460










The ACEManager
component of ALEOS 4.16 and earlier does not



validate uploaded
file names and types, which could potentially allow



an authenticated
user to perform client-side script execution within



ACEManager, altering
the device functionality until the device is



restarted.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
SWICNA
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
VendorProductVersion
sierrawirelessaleos
𝑥
≤ 4.16.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.5ZcnyPM1.dpbs
https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.5ZcnyPM1.dpbs