Aggregates CVE and security vulnerability intelligence across all Sierra Wireless-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk buffer overflow, vendor risk memory corruption, and vendor risk cross-site scripting and related problems; some flaws may lead to vendor impact application crash.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2023-38321 | OpenNDS, as used in Sierra Wireless ALEOS before 4.17.0.12 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference, daemon crash, and Captive Portal outage) via a GET request to /opennds_auth/ that lacks a custom query string parameter and client-token. | [email protected] | 7.5 | 0.05% | 2023-12-25 | 2024-11-21 |
| CVE-2023-40465 | Several versions of ALEOS, including ALEOS 4.16.0, include an opensource third-party component which can be exploited from the local area network, resulting in a Denial of Service condition for the captive portal. | [email protected] | 8.3 | 0.00% | 2023-12-04 | 2024-11-21 |
| CVE-2023-40464 | Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially perform a man in the middle attack between the ACEManager client and ACEManager server. | [email protected] | 8.1 | 0.00% | 2023-12-04 | 2024-11-21 |
| CVE-2023-40463 | When configured in debugging mode by an authenticated user with administrative privileges, ALEOS 4.16 and earlier store the SHA512 hash of the common root password for that version in a directory accessible to a user with root privileges or equivalent access. | [email protected] | 8.1 | 0.02% | 2023-12-04 | 2024-11-21 |
| CVE-2023-40462 | The ACEManager component of ALEOS 4.16 and earlier does not perform input sanitization during authentication, which could potentially result in a Denial of Service (DoS) condition for ACEManager without impairing other router functions. ACEManager recovers from the DoS condition by restarting within ten seconds of becoming unavailable. | [email protected] | 7.5 | 0.01% | 2023-12-04 | 2025-02-13 |
| CVE-2023-40461 | The ACEManager component of ALEOS 4.16 and earlier allows an authenticated user with Administrator privileges to access a file upload field which does not fully validate the file name, creating a Stored Cross-Site Scripting condition. | [email protected] | 8.1 | 0.01% | 2023-12-04 | 2024-11-21 |
| CVE-2023-40460 | The ACEManager component of ALEOS 4.16 and earlier does not validate uploaded file names and types, which could potentially allow an authenticated user to perform client-side script execution within ACEManager, altering the device functionality until the device is restarted. | [email protected] | 7.1 | 0.01% | 2023-12-04 | 2024-11-21 |
| CVE-2023-40459 | The ACEManager component of ALEOS 4.16 and earlier does not adequately perform input sanitization during authentication, which could potentially result in a Denial of Service (DoS) condition for ACEManager without impairing other router functions. ACEManager recovers from the DoS condition by restarting within ten seconds of becoming unavailable. | [email protected] | 7.5 | 1.30% | 2023-12-04 | 2024-11-21 |
| CVE-2023-40458 | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Sierra Wireless, Inc ALEOS could potentially allow a remote attacker to trigger a Denial of Service (DoS) condition for ACEManager without impairing other router functions. This condition is cleared by restarting the device. | [email protected] | 7.5 | 0.01% | 2023-11-29 | 2024-11-21 |
| CVE-2022-46650 | Acemanager in ALEOS before version 4.16 allows a user with valid credentials to reconfigure the device to expose the ACEManager credentials on the pre-login status page. | [email protected] | 4.9 | 0.04% | 2023-02-10 | 2025-03-24 |
| CVE-2022-46649 | Acemanager in ALEOS before version 4.16 allows a user with valid credentials to manipulate the IP logging operation to execute arbitrary shell commands on the device. | [email protected] | 8.8 | 0.15% | 2023-02-10 | 2025-03-24 |
| CVE-2019-11851 | The ACENet service in Sierra Wireless ALEOS before 4.4.9, 4.5.x through 4.9.x before 4.9.5, and 4.10.x through 4.13.x before 4.14.0 allows remote attackers to execute arbitrary code via a buffer overflow. | [email protected] | 9.8 | 0.05% | 2022-12-26 | 2025-04-16 |
| CVE-2019-13988 | Sierra Wireless MGOS before 3.15.2 and 4.x before 4.3 allows attackers to read log files via a Direct Request (aka Forced Browsing). | [email protected] | 6.5 | 0.00% | 2022-12-26 | 2025-04-14 |
| CVE-2020-11101 | Sierra Wireless AirLink Mobility Manager (AMM) before 2.17 mishandles sessions and thus an unauthenticated attacker can obtain a login session with administrator privileges. | [email protected] | 9.8 | 0.06% | 2022-12-26 | 2025-04-14 |
| CVE-2020-8782 | Unauthenticated RPC server on ALEOS before 4.4.9, 4.9.5, and 4.14.0 allows remote code execution. | [email protected] | 7.5 | 8.43% | 2020-10-06 | 2024-11-21 |
| CVE-2020-8781 | Lack of input sanitization in UpdateRebootMgr service of ALEOS 4.11 and later allow an escalation to root from a low-privilege process. | [email protected] | 7.8 | 0.04% | 2020-10-06 | 2024-11-21 |
| CVE-2019-11862 | The SSH service on ALEOS before 4.12.0, 4.9.5, 4.4.9 allows traffic proxying. | [email protected] | 8.1 | 0.01% | 2020-08-21 | 2024-11-21 |
| CVE-2019-11859 | A buffer overflow exists in the SMS handler API of ALEOS before 4.13.0, 4.9.5, 4.9.4 that may allow code execution as root. | [email protected] | 6.0 | 0.02% | 2020-08-21 | 2024-11-21 |
| CVE-2019-11858 | Multiple buffer overflow vulnerabilities exist in the AceManager Web API of ALEOS before 4.13.0, 4.9.5, and 4.4.9. | [email protected] | 5.7 | 0.01% | 2020-08-21 | 2024-11-21 |
| CVE-2019-11857 | Lack of input sanitization in AceManager of ALEOS before 4.12.0, 4.9.5 and 4.4.9 allows disclosure of sensitive system information. | [email protected] | 9.1 | 0.01% | 2020-08-21 | 2024-11-21 |