CVE-2018-4066
Summary
| CVE | CVE-2018-4066 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-05-06 19:29:00 UTC |
| Updated | 2019-05-07 20:29:00 UTC |
| Description | An exploitable cross-site request forgery vulnerability exists in the ACEManager functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests being requested through an authenticated user. An attacker can get an authenticated user to request authenticated pages on the attacker's behalf to trigger this vulnerability. |
Risk And Classification
Problem Types: CWE-352
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Sierrawireless | Airlink Es450 | - | All | All | All |
| Hardware | Sierrawireless | Airlink Es450 | - | All | All | All |
| Operating System | Sierrawireless | Airlink Es450 Firmware | 4.9.3 | All | All | All |
| Operating System | Sierrawireless | Airlink Es450 Firmware | 4.9.3 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| TALOS-2018-0751 || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence | MISC | talosintelligence.com | Exploit, Third Party Advisory |
| Sierra Wireless AirLink ES450 ACEManager Cross Site Request Forgery ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Sierra Wireless AirLink ALEOS | ICS-CERT | MISC | ics-cert.us-cert.gov | |
| Sierra Wireless AirLink ALEOS Multiple Security Vulnerabilities | BID | www.securityfocus.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.