CVE-2023-40461

2023-12-0423:15:25

CWE-79

[email protected]

web.nvd.nist.gov

acemanager

aleos

file upload

vulnerability

stored cross-site scripting

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

Percentile

14.0%

JSON

The ACEManager
component of ALEOS 4.16 and earlier allows an

authenticated user
with Administrator privileges to access a file

upload field which
does not fully validate the file name, creating a

Stored Cross-Site
Scripting condition.

Affected configurations

Nvd

Node

sierrawirelessaleosRange≤4.16.0

AND

sierrawirelesses450Match-

sierrawirelessgx450Match-

sierrawirelesslx40Match-

sierrawirelesslx60Match-

sierrawirelessmp70Match-

sierrawirelessrv50xMatch-

sierrawirelessrv55Match-

VendorProductVersionCPE
sierrawirelessaleos*cpe:2.3:o:sierrawireless:aleos:*:*:*:*:*:*:*:*
sierrawirelesses450-cpe:2.3:h:sierrawireless:es450:-:*:*:*:*:*:*:*
sierrawirelessgx450-cpe:2.3:h:sierrawireless:gx450:-:*:*:*:*:*:*:*
sierrawirelesslx40-cpe:2.3:h:sierrawireless:lx40:-:*:*:*:*:*:*:*
sierrawirelesslx60-cpe:2.3:h:sierrawireless:lx60:-:*:*:*:*:*:*:*
sierrawirelessmp70-cpe:2.3:h:sierrawireless:mp70:-:*:*:*:*:*:*:*
sierrawirelessrv50x-cpe:2.3:h:sierrawireless:rv50x:-:*:*:*:*:*:*:*
sierrawirelessrv55-cpe:2.3:h:sierrawireless:rv55:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sierrawireless	aleos	*	cpe:2.3:o:sierrawireless:aleos::::::::
sierrawireless	es450	-	cpe:2.3:h:sierrawireless:es450:-:::::::*
sierrawireless	gx450	-	cpe:2.3:h:sierrawireless:gx450:-:::::::*
sierrawireless	lx40	-	cpe:2.3:h:sierrawireless:lx40:-:::::::*
sierrawireless	lx60	-	cpe:2.3:h:sierrawireless:lx60:-:::::::*
sierrawireless	mp70	-	cpe:2.3:h:sierrawireless:mp70:-:::::::*
sierrawireless	rv50x	-	cpe:2.3:h:sierrawireless:rv50x:-:::::::*
sierrawireless	rv55	-	cpe:2.3:h:sierrawireless:rv55:-:::::::*