← Back

CVE-2018-9078

nvd nist
Published: Sep 28, 2018Modified: Nov 21, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file.

Affected (20)

Lenovo
20 products
Storcenter Px12 450r Firmware
Storcenter Px12 400r Firmware
Storcenter Px4 300r Firmware
Storcenter Px6 300d Firmware
Storcenter Px4 300d Firmware
Storcenter Px2 300d Firmware
Storcenter Ix4 300d Firmware
Storcenter Ix2 Firmware
Storcenter Ix2 Dl Firmware
Px12 450r Firmware
Px12 400r Firmware
Px4 400r Firmware
Px4 300r Firmware
Px6 300d Firmware
Px4 400d Firmware
Px4 300d Firmware
Px2 300d Firmware
Ix4 300d Firmware
Ix2 Firmware
Ez Media & Backup Center Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Storcenter Px12 450r Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Storcenter Px12 450r
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Storcenter Px12 400r Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Storcenter Px12 400r
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Storcenter Px4 300r Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Storcenter Px4 300r
All versions
Configuration D
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Storcenter Px6 300d Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Storcenter Px6 300d
All versions
Configuration E
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Storcenter Px4 300d Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Storcenter Px4 300d
All versions
Configuration F
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Storcenter Px2 300d Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Storcenter Px2 300d
All versions
Configuration G
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Storcenter Ix4 300d Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Storcenter Ix4 300d
All versions
Configuration H
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Storcenter Ix2 Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Storcenter Ix2
All versions
Configuration I
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Storcenter Ix2 Dl Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Storcenter Ix2 Dl
All versions
Configuration K
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Px12 450r Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Px12 450r
All versions
Configuration L
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Px12 400r Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Px12 400r
All versions
Configuration M
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Px4 400r Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Px4 400r
All versions
Configuration N
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Px4 300r Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Px4 300r
All versions
Configuration O
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Px6 300d Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Px6 300d
All versions
Configuration P
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Px4 400d Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Px4 400d
All versions
Configuration Q
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Px4 300d Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Px4 300d
All versions
Configuration R
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Px2 300d Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Px2 300d
All versions
Configuration S
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Ix4 300d Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Ix4 300d
All versions
Configuration T
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Ix2 Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Ix2
All versions
Configuration U
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Ez Media & Backup Center Firmware
Version 4.1.402.34662
Running on/withPlatform Versions
Lenovo
Ez Media & Backup Center
All versions

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

Source: psirt@lenovo.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.