CVE-2018-9080

Published: Sep 28, 2018Modified: Nov 21, 2024

5.9

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, by setting the Iomega cookie to a known value before logging into the NAS's web application, the NAS will not provide the user a new cookie value. This allows an attacker who knows the cookie's value to compromise the user's session.

Affected (20)

Lenovo

20 products

Storcenter Px12 450r Firmware

Storcenter Px12 400r Firmware

Storcenter Px4 300r Firmware

Storcenter Px6 300d Firmware

Storcenter Px4 300d Firmware

Storcenter Px2 300d Firmware

Storcenter Ix4 300d Firmware

Storcenter Ix2 Firmware

Storcenter Ix2 Dl Firmware

Ez Media & Backup Center Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Px12 450r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Px12 450r	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Px12 400r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Px12 400r	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Px4 300r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Px4 300r	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Px6 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Px6 300d	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Px4 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Px4 300d	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Px2 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Px2 300d	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Ix4 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Ix4 300d	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Ix2 Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Ix2	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Ix2 Dl Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Ix2 Dl	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px12 450r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px12 450r	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px12 400r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px12 400r	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px4 400r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px4 400r	All versions

Configuration N

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px4 300r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px4 300r	All versions

Configuration O

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px6 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px6 300d	All versions

Configuration P

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px4 400d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px4 400d	All versions

Configuration Q

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px4 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px4 300d	All versions

Configuration R

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px2 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px2 300d	All versions

Configuration S

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Ix4 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Ix4 300d	All versions

Configuration T

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Ix2 Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Ix2	All versions

Configuration U

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Ez Media & Backup Center Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Ez Media & Backup Center	All versions

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (2)

https://support.lenovo.com/us/en/solutions/LEN-24224

Source: psirt@lenovo.com

Vendor Advisory

https://support.lenovo.com/us/en/solutions/LEN-24224

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.