PT-2019-10791 · Sierra Wireless · Acemanager+1

Publicado

2019-10-31

Atualizado

2019-11-06

CVE-2018-4064

CVSS v3.1

7.1

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Name of the Vulnerable Software and Affected Versions Sierra Wireless AirLink ES450 FW version 4.9.3

Description The issue allows for an unverified password change through a specially crafted HTTP request to the upload.cgi functionality in ACEManager. This can result in an unauthorized change of the user password on the device. An attacker can exploit this by making an authenticated HTTP request.

Recommendations For Sierra Wireless AirLink ES450 FW version 4.9.3, consider restricting access to the upload.cgi functionality in ACEManager until a fix is available. As a temporary workaround, monitor device configuration changes closely to detect any unauthorized password changes.

Exploit

Correção

Improper Authentication

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-287

Identificadores relacionados

CVE-2018-4064

Produtos afetados

Acemanager

Sierra Wireless Airlink Es450

PT-2019-10791 · Sierra Wireless · Acemanager+1

CVE-2018-4064

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 3