Lenovo

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-9066 1Lenovo 1Xclarity Administrator Nov 21, 2024 Jul 30, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command...Show more In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA's underlying operating system.Show less
CVE-2018-9065 1Lenovo 1Xclarity Administrator Nov 21, 2024 Jul 30, 2018 N/A· v4 7.5 HIGH· v3 3.5 LOW· v2 In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names a...Show more In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names and passwords for servers previously managed by that LXCA instance, and potentially decrypt those credentials more easily than intended.Show less
CVE-2018-9064 1Lenovo 1Xclarity Administrator Nov 21, 2024 Jul 30, 2018 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user.
CVE-2018-9068 2Ibm Lenovo 42Bladecenter Hs22 Firmware Bladecenter Hs23 FirmwareBladecenter Hs23e Firmware+39 more Nov 21, 2024 Jul 26, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on...Show more The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI.Show less
CVE-2018-9062 1Lenovo 39E42 80 Firmware E42 80 Isk FirmwareE52 80 Firmware+36 more Nov 21, 2024 Jul 19, 2018 N/A· v4 6.8 MEDIUM· v3 7.2 HIGH· v2 In some Lenovo ThinkPad products, one BIOS region is not properly included in the checks, allowing injection of arbitrary code.
CVE-2018-9070 1Lenovo 1Smart Assistant Nov 21, 2024 Jul 13, 2018 N/A· v4 6.4 MEDIUM· v3 6.9 MEDIUM· v2 For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web servic...Show more For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code. Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo.Show less
CVE-2018-9067 1Lenovo 1Lenovo Help Nov 21, 2024 Jul 13, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The Lenovo Help Android app versions earlier than 6.1.2.0327 had insufficient access control for some functions which, if exploited, could have led to exposure of approximately 400 email addresses and 8,500 IMEI.
CVE-2018-9063 1Lenovo 1System Update Nov 21, 2024 May 4, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the p...Show more MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv.Show less
CVE-2017-3775 1Lenovo 11Flex System X240 M5 Bios Flex System X280 X6 BiosFlex System X480 X6 Bios+8 more Nov 21, 2024 May 4, 2018 N/A· v4 6.4 MEDIUM· v3 6.9 MEDIUM· v2 Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the...Show more Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code.Show less
CVE-2017-17833 5Canonical DebianLenovo+2 more 38Bm Nextscale Fan Power Controller CmmDebian Linux+35 more Nov 21, 2024 Apr 23, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 OpenSLP releases in the 1.0.2 and 1.1.0 code streams have a heap-related memory corruption issue which may manifest itself as a denial-of-service or a remote code-execution vulnerability.
CVE-2017-3776 1Lenovo 1Lenovo Help Nov 21, 2024 Apr 19, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Lenovo Help Android mobile app versions earlier than 6.1.2.0327 allowed information to be transmitted over an HTTP channel, permitting others observing the channel to potentially see this information.
CVE-2017-3774 1Lenovo 1Integrated Management Module 2 Nov 21, 2024 Apr 19, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in som...Show more A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in some IBM servers. An attacker providing a crafted user ID and password combination can cause a portion of the authentication routine to overflow its stack, resulting in stack corruption.Show less
CVE-2017-3762 1Lenovo 1Fingerprint Manager Pro Nov 21, 2024 Jan 26, 2018 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password,...Show more Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed.Show less
CVE-2017-3765 1Lenovo 1Enterprise Network Operating System Nov 21, 2024 Jan 10, 2018 N/A· v4 7.0 HIGH· v3 6.2 MEDIUM· v2 In Enterprise Networking Operating System (ENOS) in Lenovo and IBM RackSwitch and BladeCenter products, an authentication bypass known as "HP Backdoor" was discovered during a Lenovo security audit in the serial console,...Show more In Enterprise Networking Operating System (ENOS) in Lenovo and IBM RackSwitch and BladeCenter products, an authentication bypass known as "HP Backdoor" was discovered during a Lenovo security audit in the serial console, Telnet, SSH, and Web interfaces. This bypass mechanism can be accessed when performing local authentication under specific circumstances. If exploited, admin-level access to the switch is granted.Show less
CVE-2017-3764 1Lenovo 1Xclarity Administrator May 13, 2026 Nov 30, 2017 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability was identified in Lenovo XClarity Administrator (LXCA) before 1.4.0 where LXCA user account names may be exposed to unauthenticated users with access to the LXCA web user interface. No password informatio...Show more A vulnerability was identified in Lenovo XClarity Administrator (LXCA) before 1.4.0 where LXCA user account names may be exposed to unauthenticated users with access to the LXCA web user interface. No password information of the user accounts is exposed.Show less
CVE-2017-3771 1Lenovo 3Aio E95 Firmware Thinkcentre M710s FirmwareThinkcentre M710t Firmware May 13, 2026 Oct 26, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 System boot process is not adequately secured In Lenovo E95 and ThinkCentre M710s/M710t because systems were shipped from factory without completing BIOS/UEFI initialization process.
CVE-2017-3761 1Lenovo 1Service Framework May 13, 2026 Oct 17, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote co...Show more The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.Show less
CVE-2017-3760 1Lenovo 1Service Framework May 13, 2026 Oct 17, 2017 N/A· v4 8.1 HIGH· v3 5.1 MEDIUM· v2 The Lenovo Service Framework Android application uses a set of nonsecure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man-in-the-middle attack...Show more The Lenovo Service Framework Android application uses a set of nonsecure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.Show less
CVE-2017-3759 1Lenovo 1Service Framework May 13, 2026 Oct 17, 2017 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 The Lenovo Service Framework Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
CVE-2017-3758 1Lenovo 1Service Framework May 13, 2026 Oct 17, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Improper access controls on several Android components in the Lenovo Service Framework application can be exploited to enable remote code execution.

Previous 1...151617...20 Next