Filtered by vendor Lenovo Subscriptions
Total 403 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-6165 1 Lenovo 4 Yoga 700-11isk, Yoga 700-11isk Firmware, Yoga 700-14isk and 1 more 2024-09-16 7.8 High
A DLL search path vulnerability was reported in PaperDisplay Hotkey Service version 1.2.0.8 that could allow privilege escalation. Lenovo has ended support for PaperDisplay Hotkey software as the Night light feature introduced in Windows 10 Build 1703 provides similar features.
CVE-2017-3753 1 Lenovo 219 63, 63 Firmware, H50-30g and 216 more 2024-09-16 N/A
A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. (AMI). With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V.
CVE-2019-6159 1 Lenovo 30 Bladecenter Hs22, Bladecenter Hs22 Firmware, Bladecenter Hs22v and 27 more 2024-09-16 6.1 Medium
A stored cross-site scripting (XSS) vulnerability exists in various firmware versions of the legacy IBM System x IMM (IMM v1) embedded Baseboard Management Controller (BMC). This vulnerability could allow an unauthenticated user to cause JavaScript code to be stored in the IMM log which may then be executed in the user's web browser when IMM log records containing the JavaScript code are viewed. The JavaScript code is not executed on IMM itself. The later IMM2 (IMM v2) is not affected.
CVE-2019-6169 1 Lenovo 8 Ideacentre, Ideapad, Service Bridge and 5 more 2024-09-16 7.5 High
A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow unencrypted downloads over FTP.
CVE-2020-8356 1 Lenovo 1 Xclarity Orchestrator 2024-09-16 4.9 Medium
An internal product security audit of LXCO, prior to version 1.2.2, discovered that optional passwords, if specified, for the Syslog and SMTP forwarders are written to an internal LXCO log file in clear text. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file.
CVE-2019-6189 1 Lenovo 1 System Interface Foundation 2024-09-16 7.8 High
A potential vulnerability was reported in Lenovo System Interface Foundation versions before v1.1.18.3 that could allow an administrative user to load an unsigned DLL.
CVE-2020-8329 1 Lenovo 6 Lj4010dn, Lj4010dn Firmware, Lj6700dn and 3 more 2024-09-16 5.3 Medium
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted.
CVE-2018-9063 1 Lenovo 1 System Update 2024-09-16 N/A
MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv.
CVE-2019-6171 1 Lenovo 296 20a7, 20a7 Firmware, 20a8 and 293 more 2024-09-16 6.8 Medium
A vulnerability was reported in various BIOS versions of older ThinkPad systems that could allow a user with administrative privileges or physical access the ability to update the Embedded Controller with unsigned firmware.
CVE-2020-8336 1 Lenovo 76 Thinkpad E14, Thinkpad E14 Firmware, Thinkpad E15 and 73 more 2024-09-16 6.4 Medium
Lenovo implemented Intel CSME Anti-rollback ARB protections on some ThinkPad models to prevent roll back of CSME Firmware in flash.
CVE-2017-3742 3 Google, Lenovo, Microsoft 3 Android, Connect2, Windows 2024-09-16 N/A
In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and 4.2.5.3071 for Android, when an ad-hoc connection is made between two systems for the purpose of sharing files, the password for this ad-hoc connection will be stored in a user-readable location. An attacker with read access to the user's contents could connect to the Connect2 hotspot and see the contents of files while they are being transferred between the two systems.
CVE-2019-6149 1 Lenovo 2 Dynamic Power Reduction, Thinkpad X1 Carbon 2024-09-16 N/A
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2019-19757 1 Lenovo 1 Xclarity Administrator 2024-09-16 5.4 Medium
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered a Document Object Model (DOM) based cross-site scripting vulnerability in versions prior to 2.6.6 that could allow JavaScript code to be executed in the user's web browser if a specially crafted link is visited. The JavaScript code is executed on the user's system, not executed on LXCA itself.
CVE-2017-3756 2 Lenovo, Microsoft 151 Thinkpad 10 Ella 2, Thinkpad 10 Ella 2 Bios, Thinkpad 11e Beema and 148 more 2024-09-16 N/A
A privilege escalation vulnerability was identified in Lenovo Active Protection System for ThinkPad systems versions earlier than 1.82.0.17. An attacker with local privileges could execute code with administrative privileges via an unquoted service path.
CVE-2020-8330 1 Lenovo 6 Lj4010dn, Lj4010dn Firmware, Lj6700dn and 3 more 2024-09-16 5.3 Medium
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, preventing subsequent print jobs until the printer is rebooted.
CVE-2017-3759 1 Lenovo 1 Service Framework 2024-09-16 N/A
The Lenovo Service Framework Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
CVE-2018-9070 1 Lenovo 1 Smart Assistant 2024-09-16 N/A
For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code. Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo.
CVE-2018-9064 1 Lenovo 1 Xclarity Administrator 2024-09-16 N/A
In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user.
CVE-2019-6177 1 Lenovo 1 Solution Center 2024-09-16 9.8 Critical
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018.
CVE-2017-3748 2 Google, Lenovo 21 Android, Vibe A1600, Vibe A2560 and 18 more 2024-09-16 N/A
On Lenovo VIBE mobile phones, improper access controls on the nac_server component can be abused in conjunction with CVE-2017-3749 and CVE-2017-3750 to elevate privileges to the root user (commonly known as 'rooting' or "jail breaking" a device).