PT-2019-10792 · Sierra Wireless · Sierra Wireless Airlink Es450

Carl Hurd

Published

2019-05-06

Updated

2019-05-07

CVE-2018-4065

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Sierra Wireless AirLink ES450 FW version 4.9.3

Description A cross-site scripting issue exists in the ACEManager ping result.cgi functionality. This can be triggered by a specially crafted HTTP ping request, leading to the execution of javascript code on the victim's browser. An attacker can exploit this by getting a victim to click a link or embedded URL that redirects to the reflected cross-site scripting vulnerability.

Recommendations For Sierra Wireless AirLink ES450 FW version 4.9.3, consider restricting access to the ping result.cgi functionality until a fix is available. As a temporary workaround, avoid using the ACEManager ping result.cgi functionality to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-4065

Affected Products

Sierra Wireless Airlink Es450

PT-2019-10792 · Sierra Wireless · Sierra Wireless Airlink Es450

CVE-2018-4065

Weakness Enumeration

Related Identifiers

Affected Products

References · 6