CVE-2023-40461: Cross-site scripting vulnerability in ACEManager
First published: Mon Dec 04 2023(Updated: )
The ACEManager component of ALEOS 4.16 and earlier allows an authenticated user with Administrator privileges to access a file upload field which does not fully validate the file name, creating a Stored Cross-Site Scripting condition.
Credit: security@sierrawireless.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Sierrawireless Aleos | <=4.16.0 | |
| Any of | ||
| Sierrawireless Es450 | ||
| Sierrawireless Gx450 | ||
| Sierrawireless Lx40 | ||
| Sierrawireless Lx60 | ||
| Sierrawireless Mp70 | ||
| Sierrawireless Rv50x | ||
| Sierrawireless Rv55 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2023-40461?
CVE-2023-40461 is a Cross-site scripting (XSS) vulnerability in ACEManager component of ALEOS 4.16 and earlier, allowing an authenticated user with Administrator privileges to access a file upload field which does not fully validate the file name, creating a Stored XSS condition.
Which software versions are affected by CVE-2023-40461?
ALEOS 4.16 and earlier versions are affected by CVE-2023-40461.
What is the severity of CVE-2023-40461?
CVE-2023-40461 has a severity rating of 8.1 (High).
How can an authenticated user exploit CVE-2023-40461?
An authenticated user with Administrator privileges can exploit CVE-2023-40461 by accessing a file upload field that does not fully validate the file name, allowing them to inject malicious scripts into the application.
Is Sierra Wireless providing any reference for CVE-2023-40461?
Yes, Sierra Wireless has provided a reference for CVE-2023-40461. You can find more information at the following link: [Sierra Wireless Technical Bulletin - SWI-PSA-2023-006](https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.6KUVtE6w.dpbs)
- collector/nvd-api
- agent/severity
- agent/weakness
- agent/references
- agent/title
- agent/author
- agent/type
- agent/event
- agent/description
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/sierrawireless
- canonical/sierrawireless aleos
- version/sierrawireless aleos/4.16.0
- canonical/sierrawireless es450
- canonical/sierrawireless gx450
- canonical/sierrawireless lx40
- canonical/sierrawireless lx60
- canonical/sierrawireless mp70
- canonical/sierrawireless rv50x
- canonical/sierrawireless rv55