CVE-2023-40461

Name of the Vulnerable Software and Affected Versions ALEOS versions 4.16 and earlier

Description The issue is related to the ACEManager component of the ALEOS operating system, which does not properly validate file names in a file upload field. This can lead to a Stored Cross-Site Scripting condition, allowing a remote attacker to conduct inter-site script attacks. An authenticated user with Administrator privileges can access this vulnerable file upload field.

Recommendations For ALEOS versions 4.16 and earlier, consider disabling the file upload field in the ACEManager component until a patch is available to fully validate file names and prevent Stored Cross-Site Scripting attacks. Restrict access to the ACEManager component to minimize the risk of exploitation. Avoid using the file upload feature in the affected versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.