Cross-Site Request Forgery in Sierra Wireless AirLink ES450
CVE-2018-4066

8.8HIGH

Key Information:

Vendor

Sierrawireless

Status
Sierra Wireless
Vendor
CVE Published:
6 May 2019

What is CVE-2018-4066?

The Sierra Wireless AirLink ES450 device version FW 4.9.3 contains a cross-site request forgery vulnerability in its ACEManager functionality. This security flaw allows an attacker to craft a malicious HTTP request that exploits the authenticated user's session. When a user unknowingly submits these crafted requests, it can result in unauthorized actions being performed on behalf of the user without their consent. This type of attack can lead to serious security implications, as it allows malicious activities to bypass authentication mechanisms.

Affected Version(s)

Sierra Wireless Sierra Wireless AirLink ES450 FW 4.9.3

References

http://packetstormsecurity.com/files/152651/Sierra-Wirele...
x_refsource_MISC
https://ics-cert.us-cert.gov/advisories/ICSA-19-122-03
x_refsource_MISC
http://www.securityfocus.com/bid/108147
vdb-entryx_refsource_BID

EPSS Score

71% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.