Filtered by vendor Lenovo
Subscriptions
Total
403 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-6178 | 1 Lenovo | 12 Home Media Network Hard Drive, Home Media Network Hard Drive Firmware, Ix12-300r and 9 more | 2024-09-17 | 5.3 Medium |
An information leakage vulnerability in Iomega and LenovoEMC NAS products could allow disclosure of some device details such as Share names through the device API when Personal Cloud is enabled. This does not allow read, write, delete, or any other access to the underlying file systems and their contents. | ||||
CVE-2019-6182 | 1 Lenovo | 1 Xclarity Administrator | 2024-09-17 | 4.9 Medium |
A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself. | ||||
CVE-2019-6184 | 1 Lenovo | 1 Customer Engagement Service | 2024-09-17 | 7.8 High |
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation. | ||||
CVE-2018-9067 | 1 Lenovo | 1 Lenovo Help | 2024-09-17 | N/A |
The Lenovo Help Android app versions earlier than 6.1.2.0327 had insufficient access control for some functions which, if exploited, could have led to exposure of approximately 400 email addresses and 8,500 IMEI. | ||||
CVE-2019-6154 | 1 Lenovo | 5 Bootable Usb, Ideacentre, Thinkcentre and 2 more | 2024-09-17 | N/A |
A DLL search path vulnerability was reported in Lenovo Bootable Generator, prior to version Mar-2019, that could allow a malicious user with local access to execute code on the system. | ||||
CVE-2020-8355 | 1 Lenovo | 1 Xclarity Administrator | 2024-09-17 | 4.9 Medium |
An internal product security audit of Lenovo XClarity Administrator (LXCA) prior to version 3.1.0 discovered the Windows OS credentials provided by the LXCA user to perform driver updates of managed systems may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated while managed endpoints are updating. The service log is only generated when requested by a privileged LXCA user and it is only accessible to the privileged LXCA user that requested the file and is then deleted. | ||||
CVE-2019-6161 | 1 Lenovo | 2 Cp Storage Block, Cp Storage Block Firmware | 2024-09-17 | 7.5 High |
An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M. This vulnerability allows session IDs to be reused, which could provide unauthorized access to the BMC under certain circumstances. This vulnerability does not affect ThinkSystem XCC, System x IMM2, or other BMCs. | ||||
CVE-2017-3767 | 2 Lenovo, Realtek | 47 Thinkpad 10, Thinkpad 11e, Thinkpad 13 and 44 more | 2024-09-17 | N/A |
A local privilege escalation vulnerability was identified in the Realtek audio driver versions prior to 6.0.1.8224 in some Lenovo ThinkPad products. An attacker with local privileges could execute code with administrative privileges. | ||||
CVE-2020-8340 | 1 Lenovo | 15 Flex System Nx360 M5, Flex System X240, Flex System X240 M5 and 12 more | 2024-09-17 | 6.3 Medium |
A cross-site scripting (XSS) vulnerability was discovered in the legacy IBM and Lenovo System x IMM2 (Integrated Management Module 2), prior to version 5.60, embedded Baseboard Management Controller (BMC) web interface during an internal security review. This vulnerability could allow JavaScript code to be executed in the user's web browser if the user is convinced to visit a crafted URL, possibly through phishing. Successful exploitation requires specific knowledge about the user’s network to be included in the crafted URL. Impact is limited to the normal access restrictions and permissions of the user clicking the crafted URL, and subject to the user being able to connect to and already being authenticated to IMM2 or other systems. The JavaScript code is not executed on IMM2 itself. | ||||
CVE-2019-6181 | 1 Lenovo | 1 Xclarity Administrator | 2024-09-17 | 6.1 Medium |
A reflected cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow a crafted URL, if visited, to cause JavaScript code to be executed in the user's web browser. The JavaScript code is not executed on LXCA itself. | ||||
CVE-2017-3765 | 2 Ibm, Lenovo | 30 1g L2-7 Slb Switch For Bladecenter, Bladecenter 1\, Bladecenter Layer 2\/3 Copper Ethernet Switch Module and 27 more | 2024-09-17 | N/A |
In Enterprise Networking Operating System (ENOS) in Lenovo and IBM RackSwitch and BladeCenter products, an authentication bypass known as "HP Backdoor" was discovered during a Lenovo security audit in the serial console, Telnet, SSH, and Web interfaces. This bypass mechanism can be accessed when performing local authentication under specific circumstances. If exploited, admin-level access to the switch is granted. | ||||
CVE-2019-6187 | 1 Lenovo | 42 Thinksystem Sr670, Thinkagile 7d1h, Thinkagile 7x82 and 39 more | 2024-09-17 | 6.5 Medium |
A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server. | ||||
CVE-2020-8321 | 1 Lenovo | 344 130-14ast, 130-14ast Firmware, 130-14ikb and 341 more | 2024-09-17 | 6.4 Medium |
A potential vulnerability in the SMI callback function used in the System Lock Preinstallation driver in some Lenovo Notebook and ThinkStation models may allow arbitrary code execution. | ||||
CVE-2019-6196 | 1 Lenovo | 1 Installation Package | 2024-09-17 | 6.7 Medium |
A symbolic link vulnerability in some Lenovo installation packages, prior to version 1.2.9.3, could allow privileged file operations during file extraction and installation. | ||||
CVE-2017-3746 | 1 Lenovo | 1 Thinkpad Usb 3.0 Ethernet Adapter Driver | 2024-09-17 | N/A |
ThinkPad USB 3.0 Ethernet Adapter (part number 4X90E51405) driver, various versions, was found to contain a privilege escalation vulnerability that could allow a local user to execute arbitrary code with administrative or system level privileges. | ||||
CVE-2020-8327 | 1 Lenovo | 1 Vantage | 2024-09-17 | 7.3 High |
A privilege escalation vulnerability was reported in LenovoBatteryGaugePackage for Lenovo System Interface Foundation bundled in Lenovo Vantage prior to version 10.2003.10.0 that could allow an authenticated user to execute code with elevated privileges. | ||||
CVE-2020-8317 | 1 Lenovo | 1 Drivers Management | 2024-09-17 | 7.3 High |
A DLL search path vulnerability was reported in Lenovo Drivers Management prior to version 2.7.1128.1046 that could allow an authenticated user to execute code with elevated privileges. | ||||
CVE-2019-6157 | 2 Ibm, Lenovo | 84 Bladecenter Hs22, Bladecenter Hs22 Firmware, Bladecenter Hs23 and 81 more | 2024-09-17 | N/A |
In various firmware versions of Lenovo System x, the integrated management module II (IMM2)'s first failure data capture (FFDC) includes the web server's private key in the generated log file for support. | ||||
CVE-2017-3770 | 1 Lenovo | 1 Xclarity Administrator | 2024-09-17 | N/A |
Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 where an authenticated user may be able to abuse certain web interface functionality to execute privileged commands within the underlying LXCA operating system. | ||||
CVE-2020-8342 | 1 Lenovo | 1 System Update | 2024-09-17 | 7.3 High |
A race condition vulnerability was reported in Lenovo System Update prior to version 5.07.0106 that could allow escalation of privilege. |