Vulnerability Details : CVE-2018-4066
An exploitable cross-site request forgery vulnerability exists in the ACEManager functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests being requested through an authenticated user. An attacker can get an authenticated user to request authenticated pages on the attacker's behalf to trigger this vulnerability.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2018-4066
- cpe:2.3:o:sierrawireless:airlink_es450_firmware:4.9.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-4066
2.88%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-4066
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2018-4066
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by:
- nvd@nist.gov (Primary)
- talos-cna@cisco.com (Secondary)
References for CVE-2018-4066
-
http://packetstormsecurity.com/files/152651/Sierra-Wireless-AirLink-ES450-ACEManager-Cross-Site-Request-Forgery.html
Sierra Wireless AirLink ES450 ACEManager Cross Site Request Forgery ≈ Packet Storm
-
http://www.securityfocus.com/bid/108147
Sierra Wireless AirLink ALEOS Multiple Security Vulnerabilities
-
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0751
TALOS-2018-0751 || Cisco Talos Intelligence Group - Comprehensive Threat IntelligenceExploit;Third Party Advisory
-
https://ics-cert.us-cert.gov/advisories/ICSA-19-122-03
Sierra Wireless AirLink ALEOS | CISA
Jump to