CVE-2018-4072

Exploit

EPSS 41.98%
Veröffentlicht 06.05.2019 19:29:01
Zuletzt bearbeitet 21.11.2024 04:06:41
Quelle talos-cna@cisco.com
Teams Watchlist Login
Unerledigt Login

An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSet_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The EmbeddedAceSet_Task.cgi executable is used to change MSCII configuration values within the configuration manager of the AirLink ES450. This binary does not have any restricted configuration settings, so once the MSCIID is discovered, any authenticated user can send configuration changes using the /cgi-bin/Embedded_Ace_Set_Task.cgi endpoint.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sierrawireless ≫ Airlink Es450 Firmware Version4.9.3

Sierrawireless ≫ Airlink Es450 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	41.98%	0.973

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

https://talosintelligence.com/vulnerability_reports/TALOS-2018-0756

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2018-4072

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-4072

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-4072

EUVD