CVE-2023-40460

Name of the Vulnerable Software and Affected Versions ALEOS versions 4.16 and earlier

Description The issue is related to the ACEManager component of the ALEOS operating system, which does not validate uploaded file names and types. This could potentially allow an authenticated user to perform client-side script execution within ACEManager, altering the device functionality until the device is restarted. The exploitation of this issue may enable a remote attacker to execute arbitrary scripts and cause the device to reboot.

Recommendations For ALEOS versions 4.16 and earlier, consider disabling the ACEManager component until a patch is available to prevent potential exploitation. Restrict access to the ACEManager interface to minimize the risk of unauthorized file uploads. As a temporary workaround, limit the types of files that can be uploaded to the device to prevent malicious file execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.