CVE-2018-9081

Published: Sep 28, 2018Modified: Nov 21, 2024

4.7

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.6 / Impact: 2.7

Source: NVD

Description

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible from the Content Viewer with a cross site scripting payload in its name, and wait for a user to try and rename the file for their payload to trigger.

Affected (20)

Lenovo

20 products

Storcenter Px12 450r Firmware

Storcenter Px12 400r Firmware

Storcenter Px4 300r Firmware

Storcenter Px6 300d Firmware

Storcenter Px4 300d Firmware

Storcenter Px2 300d Firmware

Storcenter Ix4 300d Firmware

Storcenter Ix2 Firmware

Storcenter Ix2 Dl Firmware

Ez Media & Backup Center Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Px12 450r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Px12 450r	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Px12 400r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Px12 400r	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Px4 300r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Px4 300r	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Px6 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Px6 300d	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Px4 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Px4 300d	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Px2 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Px2 300d	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Ix4 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Ix4 300d	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Ix2 Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Ix2	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Storcenter Ix2 Dl Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Storcenter Ix2 Dl	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px12 450r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px12 450r	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px12 400r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px12 400r	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px4 400r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px4 400r	All versions

Configuration N

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px4 300r Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px4 300r	All versions

Configuration O

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px6 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px6 300d	All versions

Configuration P

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px4 400d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px4 400d	All versions

Configuration Q

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px4 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px4 300d	All versions

Configuration R

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Px2 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Px2 300d	All versions

Configuration S

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Ix4 300d Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Ix4 300d	All versions

Configuration T

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Ix2 Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Ix2	All versions

Configuration U

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Ez Media & Backup Center Firmware	Version 4.1.402.34662

Running on/with	Platform Versions
Lenovo Ez Media & Backup Center	All versions

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://support.lenovo.com/us/en/solutions/LEN-24224

Source: psirt@lenovo.com

Vendor Advisory

https://support.lenovo.com/us/en/solutions/LEN-24224

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.