CVE-2018-4066
HIGHSierra Wireless AirLink ES450 Firmware 4.9.3 - Cross-Site Request Forgery in ACEManager
Title source: llmDescription
An exploitable cross-site request forgery vulnerability exists in the ACEManager functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests being requested through an authenticated user. An attacker can get an authenticated user to request authenticated pages on the attacker's behalf to trigger this vulnerability.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/152651/Sierra-Wireless-AirLink-ES450-ACEManager-Cross-Site-Request-Forgery.html
Various Sources x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-19-122-03
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/108147
Exploit, Third Party Advisory x_refsource_misc
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0751
Scores
CVSS v3
8.8
EPSS
0.0219
EPSS Percentile
80.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
sierrawireless/airlink_es450_firmware
4.9.3
Published
May 06, 2019
Tracked Since
Feb 18, 2026