CVE-2018-4065
Description
An exploitable cross-site scripting vulnerability exists in the ACEManager ping_result.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP ping request can cause reflected javascript code execution, resulting in the execution of javascript code running on the victim's browser. An attacker can get a victim to click a link, or embedded URL, that redirects to the reflected cross-site scripting vulnerability to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected cross-site scripting (XSS) vulnerability in the ACEManager ping_result.cgi of Sierra Wireless AirLink ES450 FW 4.9.3 allows arbitrary JavaScript execution via crafted HTTP ping requests.
Vulnerability
The ACEManager web interface in Sierra Wireless AirLink ES450 running firmware version 4.9.3 contains a reflected cross-site scripting (XSS) vulnerability in the ping_result.cgi component [2][3]. The endpoint fails to properly sanitize input before reflecting it back in the HTTP response, allowing an attacker to inject arbitrary JavaScript code. Affected firmware is version 4.9.3; broader AirLink ALEOS versions prior to 4.9.4 for ES450/GX450 are also affected [2].
Exploitation
An attacker crafts a malicious URL containing a specially crafted HTTP ping request that includes JavaScript payloads. The victim must be tricked into clicking the link or an embedded URL that directs them to the vulnerable ping_result.cgi endpoint [1][3]. No authentication is required, and the attack can be delivered remotely over the network. The attacker does not need any prior access to the device.
Impact
Successful exploitation results in reflected JavaScript execution within the victim's browser, with the same privileges as the authenticated user [3]. An attacker can perform actions on behalf of the victim, such as making unauthorised requests, modifying device settings, or stealing sensitive tokens and session cookies [1][3]. The CVSS v3 score is 6.1 (Medium) [3].
Mitigation
Sierra Wireless released firmware version 4.9.4 which addresses this vulnerability [2]. Users should upgrade affected AirLink ES450 devices to version 4.9.4 or later. The vendor notes that the ACEManager web application is not accessible by default from the Cellular WAN, which reduces exposure [3]. No workaround is provided for devices that cannot be upgraded.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sierra Wireless/AirLink ES450description
- Range: FW 4.9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The ping_result.cgi binary does not properly sanitize user-supplied input before reflecting it back in the HTTP response, allowing arbitrary JavaScript injection."
Attack vector
An attacker crafts a malicious HTTP GET or POST request to `/admin/tools/ping_result.cgi` with a `host` parameter containing JavaScript payloads (e.g., `host=192.168.13.31<script>alert('xss')</script>`). The server reflects the unescaped input directly into the response page, causing the browser to execute the injected script. The attacker must lure an authenticated victim into clicking a crafted link or embedded URL; the ACEManager web application is not accessible by default from the Cellular WAN, so the attacker typically needs LAN access or must trick a user on the LAN [ref_id=1].
Affected code
The vulnerability exists in the `ping_result.cgi` binary of the ACEManager web server on the Sierra Wireless AirLink ES450 (FW 4.9.3). The `host` parameter is not filtered before being reflected in the HTTP response [ref_id=1].
What the fix does
The advisory does not include a patch diff or specific fix details. The vendor acknowledged the issue on 2018-12-17 and established a timeline for a fix by 2019-03-26, with public disclosure on 2019-04-25 [ref_id=1]. The recommended remediation is to properly neutralize or encode user-supplied input in the `host` parameter before reflecting it in the HTTP response, preventing JavaScript execution in the victim's browser.
Preconditions
- authThe victim must be authenticated to the ACEManager web interface.
- networkThe attacker must be on the same LAN as the device, or trick a LAN user into clicking a crafted link (ACEManager is not accessible by default from the Cellular WAN).
- inputThe attacker must craft a URL or POST body containing a malicious JavaScript payload in the 'host' parameter.
Reproduction
After authenticating to ACEManager, navigate to `http://192.168.13.31:9191/admin/tools/ping_result.cgi?host=1.1.1.1%27%3Cscript%3Ealert(%27xss%27)%3C/script%3E` to trigger a reflected XSS alert [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/152650/Sierra-Wireless-AirLink-ES450-ACEManager-ping_result.cgi-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- www.securityfocus.com/bid/108147mitrevdb-entryx_refsource_BID
- ics-cert.us-cert.gov/advisories/ICSA-19-122-03mitrex_refsource_MISC
- talosintelligence.com/vulnerability_reports/TALOS-2018-0750mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.