CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Lenovo : Security Vulnerabilities Published In 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-3770 Exec Code 2017-09-22 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 where an authenticated user may be able to abuse certain web interface functionality to execute privileged commands within the underlying LXCA operating system.
2 CVE-2017-3764 200 +Info 2017-11-30 2017-12-20
5.0
None Remote Low Not required Partial None None
A vulnerability was identified in Lenovo XClarity Administrator (LXCA) before 1.4.0 where LXCA user account names may be exposed to unauthenticated users with access to the LXCA web user interface. No password information of the user accounts is exposed.
3 CVE-2017-3763 2017-09-22 2019-10-03
2.1
None Local Low Not required Partial None None
An attacker who obtains access to the location where the LXCA file system is stored may be able to access credentials of local LXCA accounts in LXCA versions earlier than 1.3.2.
4 CVE-2017-3761 78 Exec Code 2017-10-17 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.
5 CVE-2017-3760 354 Exec Code 2017-10-17 2019-10-03
5.1
None Remote High Not required Partial Partial Partial
The Lenovo Service Framework Android application uses a set of nonsecure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
6 CVE-2017-3759 20 Exec Code 2017-10-17 2017-11-08
6.8
None Remote Medium Not required Partial Partial Partial
The Lenovo Service Framework Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
7 CVE-2017-3758 Exec Code 2017-10-17 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
Improper access controls on several Android components in the Lenovo Service Framework application can be exploited to enable remote code execution.
8 CVE-2017-3751 428 Exec Code 2017-08-10 2017-08-24
7.2
None Local Low Not required Complete Complete Complete
An unquoted service path vulnerability was identified in the driver for the ThinkPad Compact USB Keyboard with TrackPoint versions earlier than 1.5.5.0. This could allow an attacker with local privileges to execute code with administrative privileges.
9 CVE-2017-3746 Exec Code 2017-08-29 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
ThinkPad USB 3.0 Ethernet Adapter (part number 4X90E51405) driver, various versions, was found to contain a privilege escalation vulnerability that could allow a local user to execute arbitrary code with administrative or system level privileges.
10 CVE-2017-3745 287 +Priv 2017-06-20 2017-06-30
2.1
None Local Low Not required Partial None None
In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA's internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers.
11 CVE-2017-3743 200 +Info 2017-06-20 2017-06-30
3.5
None Remote Medium ??? Partial None None
If multiple users are concurrently logged into a single system where one user is sending a command via the Lenovo ToolsCenter Advanced Settings Utility (ASU), UpdateXpress System Pack Installer (UXSPI) or Dynamic System Analysis (DSA) to a second machine, the other users may be able to see the user ID and clear text password that were used to access the second machine during the time the command is processing.
12 CVE-2017-3740 DoS 2017-06-04 2019-10-03
4.9
None Local Low Not required None None Complete
In Lenovo Active Protection System before 1.82.0.14, an attacker with local privileges could send commands to the system's embedded controller, which could cause a denial of service attack on the system or the ability to alter hardware functionality.
13 CVE-2016-8237 264 Exec Code 2017-04-10 2017-04-17
9.3
None Remote Medium Not required Complete Complete Complete
Remote code execution in Lenovo Updates (not Lenovo System Update) allows man-in-the-middle attackers to execute arbitrary code.
14 CVE-2016-8235 264 Exec Code 2017-04-10 2017-04-17
7.2
None Local Low Not required Complete Complete Complete
Privilege escalation in Lenovo Customer Care Software Development Kit (CCSDK) versions earlier than 2.0.16.3 allows local users to execute code with elevated privileges.
15 CVE-2016-8233 532 2017-03-01 2017-03-03
5.0
None Remote Low Not required Partial None None
Log files generated by Lenovo XClarity Administrator (LXCA) versions earlier than 1.2.2 may contain user credentials in a non-secure, clear text form that could be viewed by a non-privileged user.
16 CVE-2016-8231 295 2017-06-04 2017-06-09
5.0
None Remote Low Not required None Partial None
In Lenovo Service Bridge before version 4, a bug found in the signature verification logic of the code signing certificate could be exploited by an attacker to insert a forged code signing certificate.
17 CVE-2016-8230 200 +Info 2017-06-04 2017-06-09
5.0
None Remote Low Not required Partial None None
In Lenovo Service Bridge before version 4, an insecure HTTP connection is used by LSB to send system serial number, machine type and model and product name to Lenovo's servers.
18 CVE-2016-8229 352 CSRF 2017-06-04 2017-06-09
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Lenovo Service Bridge before version 4 could be exploited by an attacker with access to the DHCP server used by the system where LSB is installed.
19 CVE-2016-8228 264 Exec Code 2017-06-04 2017-06-09
7.2
None Local Low Not required Complete Complete Complete
In Lenovo Service Bridge before version 4, a user with local privileges on a system could execute code with administrative privileges.
20 CVE-2016-8227 284 Exec Code 2017-01-26 2017-01-28
7.2
None Local Low Not required Complete Complete Complete
Privilege escalation vulnerability in Lenovo Transition application used in Lenovo Yoga, Flex and Miix systems running Windows allows local users to execute code with elevated privileges.
21 CVE-2016-8226 19 DoS 2017-01-26 2017-02-01
6.8
None Remote Low ??? None None Complete
The BIOS in Lenovo System X M5, M6, and X6 systems allows administrators to cause a denial of service via updating a UEFI data structure.
22 CVE-2016-8225 428 Exec Code 2017-01-26 2017-02-01
4.6
None Local Low Not required Partial Partial Partial
Unquoted service path vulnerability in Lenovo Edge and Lenovo Slim USB Keyboard Driver versions earlier than 1.21 allows local users to execute code with elevated privileges.
23 CVE-2016-8221 264 2017-01-12 2017-01-19
1.9
None Local Medium Not required Partial None None
Privilege Escalation in Lenovo XClarity Administrator earlier than 1.2.0, if LXCA is used to manage rack switches or chassis with embedded input/output modules (IOMs), certain log files viewable by authenticated users may contain passwords for internal administrative LXCA accounts with temporary passwords that are used internally by LXCA code.
24 CVE-2016-8106 20 DoS 2017-01-09 2017-07-27
4.3
None Remote Medium Not required None None Partial
A Denial of Service in Intel Ethernet Controller's X710/XL710 with Non-Volatile Memory Images before version 5.05 allows a remote attacker to stop the controller from processing network traffic working under certain network use conditions.
25 CVE-2016-1876 264 +Priv 2017-05-23 2017-06-07
7.2
None Local Low Not required Complete Complete Complete
The backend service process in Lenovo Solution Center (aka LSC) before 3.3.0002 allows local users to gain SYSTEM privileges via unspecified vectors.
26 CVE-2015-8110 264 +Priv 2017-04-24 2017-04-28
7.2
None Local Low Not required Complete Complete Complete
Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by navigating to (1) "Click here to learn more" or (2) "View privacy policy" within the Tvsukernel.exe GUI application in the context of a temporary administrator account, aka a "local privilege escalation vulnerability."
27 CVE-2015-8109 255 +Priv 2017-04-24 2017-04-29
6.9
None Local Medium Not required Complete Complete Complete
Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by making a prediction of tvsu_tmp_xxxxxXXXXX account credentials that requires knowledge of the time that this account was created, aka a "temporary administrator account vulnerability."
28 CVE-2015-6971 77 +Priv 2017-10-03 2017-10-17
7.2
None Local Low Not required Complete Complete Complete
Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the System Update service (SUService.exe) and gain privileges by launching signed Lenovo executables.
29 CVE-2015-4596 264 2017-06-13 2017-06-28
4.6
None Local Low Not required Partial Partial Partial
Lenovo Mouse Suite before 6.73 allows local users to run arbitrary code with administrator privileges.
30 CVE-2015-3321 264 +Priv 2017-10-03 2017-10-17
7.2
None Local Low Not required Complete Complete Complete
Services and files in Lenovo Fingerprint Manager before 8.01.42 have incorrect ACLs, which allows local users to invalidate local checks and gain privileges via standard filesystem operations.
Total number of vulnerabilities : 30   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.