ByteOS Network

NVD Vulnerability Details :

CVE-2018-4071

Analyzed

Source-talos-cna@cisco.com

Published At-06 May, 2019 | 19:29

Updated At-08 May, 2019 | 13:28

An exploitable Information Disclosure vulnerability exists in the ACEManager EmbeddedAceGet_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The EmbeddedAceTLGet_Task.cgi executable is used to retrieve MSCII configuration values within the configuration manager of the AirLink ES450. This binary does not have any restricted configuration settings, so once the MSCIID is discovered, any authenticated user can send configuration changes using the /cgi-bin/Embedded_Ace_TLGet_Task.cgi endpoint.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.0	8.8	HIGH	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary	2.0	4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N

Type: Primary

Version: 3.0

Base score: 8.8

Base severity: HIGH

Vector:

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Type: Primary

Version: 2.0

Base score: 4.0

Base severity: MEDIUM

Vector:

AV:N/AC:L/Au:S/C:P/I:N/A:N

CPE Matches

sierrawireless>>airlink_es450_firmware>>4.9.3

cpe:2.3:o:sierrawireless:airlink_es450_firmware:4.9.3:*:*:*:*:*:*:*

sierrawireless>>airlink_es450>>-

cpe:2.3:h:sierrawireless:airlink_es450:-:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-200	Primary	nvd@nist.gov

CWE ID: CWE-200

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0755	talos-cna@cisco.com	Exploit Third Party Advisory

Hyperlink: https://talosintelligence.com/vulnerability_reports/TALOS-2018-0755

Source: talos-cna@cisco.com

Resource:

Exploit

Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History