A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API.
Max CVSS
8.1
EPSS Score
0.05%
Published
2023-06-26
Updated
2023-07-06
A valid XCC user's local account permissions overrides their active directory permissions under specific configurations. This could lead to a privilege escalation. To be vulnerable, LDAP must be configured for authentication/authorization and logins configured as “Local First, then LDAP”.
Max CVSS
8.8
EPSS Score
0.05%
Published
2023-04-28
Updated
2023-05-10
A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in a web interface API.
Max CVSS
8.8
EPSS Score
0.05%
Published
2023-05-01
Updated
2023-05-10
An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files.
Max CVSS
8.2
EPSS Score
0.09%
Published
2023-06-26
Updated
2023-07-07
A default password was reported in Lenovo Smart Clock Essential with Alexa Built In that could allow unauthorized device access to an attacker with local network access.
Max CVSS
8.8
EPSS Score
0.05%
Published
2023-05-01
Updated
2023-05-09
A valid, authenticated XCC user with read only access may gain elevated privileges through a specifically crafted API call.
Max CVSS
8.8
EPSS Score
0.05%
Published
2023-05-01
Updated
2023-05-10
A potential vulnerability was reported in Lenovo PCManager prior to version 5.0.10.4191 that may allow code execution when visiting a specially crafted website.
Max CVSS
8.8
EPSS Score
0.26%
Published
2022-08-23
Updated
2023-01-23
A command injection vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an authenticated user to execute operating system commands by sending a crafted packet to the device.
Max CVSS
8.0
EPSS Score
0.04%
Published
2022-05-18
Updated
2022-05-26
A weak default administrator password for the web interface and serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical or local network access.
Max CVSS
8.8
EPSS Score
0.04%
Published
2022-05-18
Updated
2022-05-26
An authentication bypass vulnerability was discovered in an internal service of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware during an that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.
Max CVSS
9.8
EPSS Score
0.17%
Published
2022-04-22
Updated
2022-08-09
An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.
Max CVSS
9.8
EPSS Score
0.17%
Published
2022-04-22
Updated
2022-10-27
A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi.
Max CVSS
8.8
EPSS Score
0.50%
Published
2021-11-12
Updated
2021-11-17
A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow an unauthorized user to view device information, alter firmware content and device configuration. This vulnerability is the same as CNVD-2020-68651.
Max CVSS
9.8
EPSS Score
0.16%
Published
2021-08-17
Updated
2021-08-30
An authentication bypass vulnerability was reported in Lenovo ThinkPad Stack Wireless Router firmware version 1.1.3.4 that could allow escalation of privilege.
Max CVSS
8.8
EPSS Score
0.07%
Published
2020-10-14
Updated
2020-10-20
An internal security review has identified an unauthenticated remote code execution vulnerability in Cloud Networking Operating System (CNOS)’ optional REST API management interface. This interface is disabled by default and not vulnerable unless enabled. When enabled, it is only vulnerable where attached to a VRF and as allowed by defined ACLs. Lenovo strongly recommends upgrading to a non-vulnerable CNOS release. Where not possible, Lenovo recommends disabling the REST API management interface or restricting access to the management VRF and further limiting access to authorized management stations via ACL.
Max CVSS
9.8
EPSS Score
0.55%
Published
2020-10-14
Updated
2020-10-29
The BIOS tamper detection mechanism was not triggered in Lenovo ThinkPad T460p, BIOS versions up to R07ET90W, and T470p, BIOS versions up to R0FET50W, which may allow for unauthorized access.
Max CVSS
9.8
EPSS Score
0.22%
Published
2019-11-12
Updated
2020-08-24
A potential vulnerability was reported in Lenovo System Interface Foundation versions before v1.1.18.3 that could allow an authenticated user to execute code as another user.
Max CVSS
8.8
EPSS Score
0.11%
Published
2019-11-20
Updated
2019-11-22
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018.
Max CVSS
9.8
EPSS Score
0.22%
Published
2019-08-21
Updated
2022-10-14
A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow remote code execution.
Max CVSS
9.8
EPSS Score
1.36%
Published
2019-06-26
Updated
2022-10-14
A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow remote code execution.
Max CVSS
9.8
EPSS Score
1.36%
Published
2019-06-26
Updated
2022-10-14
A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow cross-site request forgery.
Max CVSS
8.8
EPSS Score
0.07%
Published
2019-06-26
Updated
2022-10-14
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.
Max CVSS
8.8
EPSS Score
0.17%
Published
2019-07-16
Updated
2020-08-24
A stored cross-site scripting (XSS) vulnerability exists in various firmware versions of the legacy IBM System x IMM (IMM v1) embedded Baseboard Management Controller (BMC). This vulnerability could allow an unauthenticated user to cause JavaScript code to be stored in the IMM log which may then be executed in the user's web browser when IMM log records containing the JavaScript code are viewed. The JavaScript code is not executed on IMM itself. The later IMM2 (IMM v2) is not affected.
Max CVSS
9.6
EPSS Score
0.09%
Published
2019-08-19
Updated
2023-03-29
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered HTTP proxy credentials being written to a log file in clear text. This only affects LXCA when HTTP proxy credentials have been configured. This affects LXCA versions 2.0.0 to 2.3.x.
Max CVSS
8.7
EPSS Score
0.15%
Published
2019-05-03
Updated
2019-10-09
In System Management Module (SMM) versions prior to 1.06, an internal SMM function that retrieves configuration settings is prone to a buffer overflow.
Max CVSS
8.1
EPSS Score
0.25%
Published
2018-11-27
Updated
2018-12-19
58 vulnerabilities found
1 2 3
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!