Lucene search

TalosCVE-2018-4063

HistoryMay 06, 2019 - 7:29 p.m.

CVE-2018-4063

2019-05-0619:29:00

CWE-434

talos

web.nvd.nist.gov

exploitable

cve-2018-4063

remote code execution

sierra wireless airlink es450

upload.cgi

firmware 4.9.3

security vulnerability

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.005

Percentile

76.9%

JSON

An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Affected configurations

Nvd

Vulners

Node

sierrawirelessairlink_es450Match-

AND

sierrawirelessairlink_es450_firmwareMatch4.9.3

VendorProductVersionCPE
sierrawirelessairlink_es450-cpe:2.3:h:sierrawireless:airlink_es450:-:*:*:*:*:*:*:*
sierrawirelessairlink_es450_firmware4.9.3cpe:2.3:o:sierrawireless:airlink_es450_firmware:4.9.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sierrawireless	airlink_es450	-	cpe:2.3:h:sierrawireless:airlink_es450:-:::::::*
sierrawireless	airlink_es450_firmware	4.9.3	cpe:2.3:o:sierrawireless:airlink_es450_firmware:4.9.3:::::::*

CNA Affected

[
  {
    "product": "Sierra Wireless",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Sierra Wireless AirLink ES450 FW 4.9.3"
      }
    ]
  }
]