CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Lenovo : Security Vulnerabilities (Execute Code)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-8351 269 Exec Code 2020-11-30 2020-12-02
4.6
None Local Low Not required Partial Partial Partial
A privilege escalation vulnerability was reported in Lenovo PCManager prior to version 3.0.50.9162 that could allow an authenticated user to execute code with elevated privileges.
2 CVE-2020-8348 79 Exec Code XSS 2020-09-24 2020-09-30
4.3
None Remote Medium Not required None Partial None
A DOM-based cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's current browser session if a crafted url is visited, possibly through phishing.
3 CVE-2020-8347 79 Exec Code XSS 2020-09-24 2020-09-30
4.3
None Remote Medium Not required None Partial None
A reflective cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's browser if a crafted url is visited, possibly through phishing.
4 CVE-2020-8338 426 Exec Code 2020-10-14 2020-10-16
7.2
None Local Low Not required Complete Complete Complete
A DLL search path vulnerability was reported in Lenovo Diagnostics prior to version 4.35.4 that could allow a user with local access to execute code on the system.
5 CVE-2020-8327 269 Exec Code 2020-04-14 2020-04-15
7.2
None Local Low Not required Complete Complete Complete
A privilege escalation vulnerability was reported in LenovoBatteryGaugePackage for Lenovo System Interface Foundation bundled in Lenovo Vantage prior to version 10.2003.10.0 that could allow an authenticated user to execute code with elevated privileges.
6 CVE-2020-8326 428 Exec Code 2020-07-24 2020-07-29
6.9
None Local Medium Not required Complete Complete Complete
An unquoted service path vulnerability was reported in Lenovo Drivers Management prior to version 2.7.1128.1046 that could allow an authenticated user to execute code with elevated privileges.
7 CVE-2020-8319 269 Exec Code 2020-04-14 2020-04-15
7.2
None Local Low Not required Complete Complete Complete
A privilege escalation vulnerability was reported in Lenovo System Interface Foundation prior to version 1.1.19.3 that could allow an authenticated user to execute code with elevated privileges.
8 CVE-2020-8318 269 Exec Code 2020-04-14 2020-04-15
7.2
None Local Low Not required Complete Complete Complete
A privilege escalation vulnerability was reported in the LenovoSystemUpdatePlugin for Lenovo System Interface Foundation prior to version that could allow an authenticated user to execute code with elevated privileges.
9 CVE-2020-8317 426 Exec Code 2020-07-24 2020-07-29
6.9
None Local Medium Not required Complete Complete Complete
A DLL search path vulnerability was reported in Lenovo Drivers Management prior to version 2.7.1128.1046 that could allow an authenticated user to execute code with elevated privileges.
10 CVE-2019-19757 79 Exec Code XSS 2020-02-14 2020-02-24
3.5
None Remote Medium ??? None Partial None
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered a Document Object Model (DOM) based cross-site scripting vulnerability in versions prior to 2.6.6 that could allow JavaScript code to be executed in the user's web browser if a specially crafted link is visited. The JavaScript code is executed on the user's system, not executed on LXCA itself.
11 CVE-2019-6186 Exec Code 2019-11-20 2019-11-22
6.5
None Remote Low ??? Partial Partial Partial
A potential vulnerability was reported in Lenovo System Interface Foundation versions before v1.1.18.3 that could allow an authenticated user to execute code as another user.
12 CVE-2019-6181 79 Exec Code XSS 2019-09-03 2019-10-09
4.3
None Remote Medium Not required None Partial None
A reflected cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow a crafted URL, if visited, to cause JavaScript code to be executed in the user's web browser. The JavaScript code is not executed on LXCA itself.
13 CVE-2019-6180 79 Exec Code XSS 2019-09-03 2019-10-09
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to cause JavaScript code to be stored in LXCA which may then be executed in the user's web browser. The JavaScript code is not executed on LXCA itself.
14 CVE-2018-9066 20 Exec Code 2018-07-30 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA's underlying operating system.
15 CVE-2018-9063 119 Exec Code Overflow 2018-05-04 2018-06-13
4.6
None Local Low Not required Partial Partial Partial
MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv.
16 CVE-2017-17833 119 Exec Code Overflow Mem. Corr. 2018-04-23 2020-05-15
7.5
None Remote Low Not required Partial Partial Partial
OpenSLP releases in the 1.0.2 and 1.1.0 code streams have a heap-related memory corruption issue which may manifest itself as a denial-of-service or a remote code-execution vulnerability.
17 CVE-2017-3770 Exec Code 2017-09-22 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 where an authenticated user may be able to abuse certain web interface functionality to execute privileged commands within the underlying LXCA operating system.
18 CVE-2017-3761 78 Exec Code 2017-10-17 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.
19 CVE-2017-3760 354 Exec Code 2017-10-17 2019-10-03
5.1
None Remote High Not required Partial Partial Partial
The Lenovo Service Framework Android application uses a set of nonsecure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
20 CVE-2017-3759 20 Exec Code 2017-10-17 2017-11-08
6.8
None Remote Medium Not required Partial Partial Partial
The Lenovo Service Framework Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
21 CVE-2017-3758 Exec Code 2017-10-17 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
Improper access controls on several Android components in the Lenovo Service Framework application can be exploited to enable remote code execution.
22 CVE-2017-3751 428 Exec Code 2017-08-10 2017-08-24
7.2
None Local Low Not required Complete Complete Complete
An unquoted service path vulnerability was identified in the driver for the ThinkPad Compact USB Keyboard with TrackPoint versions earlier than 1.5.5.0. This could allow an attacker with local privileges to execute code with administrative privileges.
23 CVE-2017-3746 Exec Code 2017-08-29 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
ThinkPad USB 3.0 Ethernet Adapter (part number 4X90E51405) driver, various versions, was found to contain a privilege escalation vulnerability that could allow a local user to execute arbitrary code with administrative or system level privileges.
24 CVE-2016-8237 264 Exec Code 2017-04-10 2017-04-17
9.3
None Remote Medium Not required Complete Complete Complete
Remote code execution in Lenovo Updates (not Lenovo System Update) allows man-in-the-middle attackers to execute arbitrary code.
25 CVE-2016-8235 264 Exec Code 2017-04-10 2017-04-17
7.2
None Local Low Not required Complete Complete Complete
Privilege escalation in Lenovo Customer Care Software Development Kit (CCSDK) versions earlier than 2.0.16.3 allows local users to execute code with elevated privileges.
26 CVE-2016-8228 264 Exec Code 2017-06-04 2017-06-09
7.2
None Local Low Not required Complete Complete Complete
In Lenovo Service Bridge before version 4, a user with local privileges on a system could execute code with administrative privileges.
27 CVE-2016-8227 284 Exec Code 2017-01-26 2017-01-28
7.2
None Local Low Not required Complete Complete Complete
Privilege escalation vulnerability in Lenovo Transition application used in Lenovo Yoga, Flex and Miix systems running Windows allows local users to execute code with elevated privileges.
28 CVE-2016-8225 428 Exec Code 2017-01-26 2017-02-01
4.6
None Local Low Not required Partial Partial Partial
Unquoted service path vulnerability in Lenovo Edge and Lenovo Slim USB Keyboard Driver versions earlier than 1.21 allows local users to execute code with elevated privileges.
29 CVE-2016-5729 264 Exec Code 2016-06-30 2019-09-27
6.8
None Local Low ??? Complete Complete Complete
Lenovo BIOS EFI Driver allows local administrators to execute arbitrary code with System Management Mode (SMM) privileges via unspecified vectors.
30 CVE-2016-5249 264 Exec Code 2016-06-30 2016-07-01
7.2
None Local Low Not required Complete Complete Complete
Lenovo Solution Center (LSC) before 3.3.003 allows local users to execute arbitrary code with LocalSystem privileges via vectors involving the LSC.Services.SystemService StartProxy command with a named pipe created in advance and crafted .NET assembly.
31 CVE-2016-3944 20 Exec Code 2016-06-03 2016-06-07
9.3
None Remote Medium Not required Complete Complete Complete
UpdateAgent in Lenovo Accelerator Application allows man-in-the-middle attackers to execute arbitrary code by spoofing an update response from susapi.lenovomm.com.
32 CVE-2015-8535 22 Exec Code Dir. Trav. 2020-03-27 2020-03-31
7.2
None Local Low Not required Complete Complete Complete
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A directory traversal vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow a user to execute arbitrary code with elevated privileges.
33 CVE-2015-8534 269 Exec Code 2020-03-27 2020-03-31
7.2
None Local Low Not required Complete Complete Complete
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow a user to execute arbitrary code with elevated privileges.
34 CVE-2015-7818 264 Exec Code 2015-11-12 2015-11-12
7.2
None Local Low Not required Complete Complete Complete
The administration-panel web service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows local users to execute arbitrary JSP code with SYSTEM privileges by using the Apache Axis AdminService deployment method to install a .jsp file.
35 CVE-2015-7335 362 Exec Code 2020-03-27 2020-03-30
6.9
None Local Medium Not required Complete Complete Complete
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A race condition was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior that could allow a user to execute arbitrary code with elevated privileges.
36 CVE-2015-7334 269 Exec Code 2020-03-27 2020-03-30
7.2
None Local Low Not required Complete Complete Complete
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior where the SUService.exe /type COMMAND type could allow a user to execute arbitrary code with elevated privileges.
37 CVE-2015-7333 269 Exec Code 2020-03-27 2020-03-30
7.2
None Local Low Not required Complete Complete Complete
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior where the SUService.exe /type INF and INF_BY_COMPATIBLE_ID command types could allow a user to execute arbitrary code with elevated privileges.
38 CVE-2014-1939 94 Exec Code 2014-03-03 2016-05-26
7.5
None Remote Low Not required Partial Partial Partial
java/android/webkit/BrowserFrame.java in Android before 4.4 uses the addJavascriptInterface API in conjunction with creating an object of the SearchBoxImpl class, which allows attackers to execute arbitrary Java code by leveraging access to the searchBoxJavaBridge_ interface at certain Android API levels.
39 CVE-2013-1361 Exec Code 2014-01-21 2017-08-29
9.3
None Remote Medium Not required Complete Complete Complete
Untrusted search path vulnerability in Lenovo Thinkpad Bluetooth with Enhanced Data Rate Software 6.4.0.2900 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse DLL that is located in the same folder as a file that is processed by Lenovo Bluetooth.
40 CVE-2008-4589 119 Exec Code Overflow 2008-10-15 2018-10-11
7.2
None Local Low Not required Complete Complete Complete
Heap-based buffer overflow in the tvtumin.sys kernel driver in Lenovo Rescue and Recovery 4.20, including 4.20.0511 and 4.20.0512, allows local users to execute arbitrary code via a long file name.
41 CVE-2007-2929 Exec Code 2007-08-15 2018-10-12
5.8
None Remote Medium Not required None Partial Partial
The IBM Lenovo Access Support acpRunner ActiveX control, as distributed in acpcontroller.dll before 1.2.8.0 and possibly acpir.dll before 1.0.0.9 (Automated Solutions 1.0 before fix pack 1), exposes unsafe methods to arbitrary web domains, which allows remote attackers to download arbitrary code onto a client system and execute this code.
42 CVE-2007-2928 Exec Code 2007-08-15 2018-10-12
5.8
None Remote Medium Not required None Partial Partial
Format string vulnerability in the IBM Lenovo Access Support acpRunner ActiveX control, as distributed in acpcontroller.dll before 1.2.8.0 and possibly acpir.dll before 1.0.0.9 (Automated Solutions 1.0 before fix pack 1), allows remote attackers to execute arbitrary code via format string specifiers in unknown data.
Total number of vulnerabilities : 42   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.