CVE-2018-9079 : For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlie

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, adversaries can craft URLs to modify the Document Object Model (DOM) of the page. In addition, adversaries can inject HTML script tags and HTML tags with JavaScript handlers to execute arbitrary JavaScript with the origin of the device.

Published 2018-09-28 20:29:01

Updated 2020-08-24 17:37:01

Source Lenovo Group Ltd.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2018-9079

Lenovo » Storcenter Px12-450r Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:storcenter_px12-450r_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Storcenter Px12-450r » Version: N/A
Lenovo » Storcenter Px12-400r Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:storcenter_px12-400r_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Storcenter Px12-400r » Version: N/A
Lenovo » Storcenter Px4-300r Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:storcenter_px4-300r_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Storcenter Px4-300r » Version: N/A
Lenovo » Storcenter Px6-300d Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:storcenter_px6-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Storcenter Px6-300d » Version: N/A
Lenovo » Storcenter Px4-300d Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:storcenter_px4-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Storcenter Px4-300d » Version: N/A
Lenovo » Storcenter Px2-300d Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:storcenter_px2-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Storcenter Px2-300d » Version: N/A
Lenovo » Storcenter Ix4-300d Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:storcenter_ix4-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Storcenter Ix4-300d » Version: N/A
Lenovo » Storcenter Ix2 Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:storcenter_ix2_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Storcenter Ix2 » Version: N/A
Lenovo » Storcenter Ix2-dl Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:storcenter_ix2-dl_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Storcenter Ix2-dl » Version: N/A
Lenovo » Ez Media & Backup Center Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:ez_media_\&_backup_center_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Ez Media & Backup Center » Version: N/A
Lenovo » Px12-450r Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:px12-450r_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Px12-450r » Version: N/A
Lenovo » Px12-400r Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:px12-400r_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Px12-400r » Version: N/A
Lenovo » Px4-400r Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:px4-400r_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Px4-400r » Version: N/A
Lenovo » Px4-300r Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:px4-300r_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Px4-300r » Version: N/A
Lenovo » Px6-300d Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:px6-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Px6-300d » Version: N/A
Lenovo » Px4-400d Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:px4-400d_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Px4-400d » Version: N/A
Lenovo » Px4-300d Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:px4-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Px4-300d » Version: N/A
Lenovo » Px2-300d Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:px2-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Px2-300d » Version: N/A
Lenovo » Ix4-300d Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:ix4-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Ix4-300d » Version: N/A
Lenovo » Ix2 Firmware » Version: 4.1.402.34662
cpe:2.3:o:lenovo:ix2_firmware:4.1.402.34662:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » IX2 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2018-9079

EPSS FAQ

0.54%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 65 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-9079

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-9079

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-9079

https://support.lenovo.com/us/en/solutions/LEN-24224

Iomega and LenovoEMC NAS Web UI Vulnerabilities - US
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2018-9079

Products affected by CVE-2018-9079

Exploit prediction scoring system (EPSS) score for CVE-2018-9079

CVSS scores for CVE-2018-9079

CWE ids for CVE-2018-9079

References for CVE-2018-9079