Lenovo: Security Vulnerabilities
A DLL search path vulnerability was reported in Lenovo Diagnostics prior to version 4.35.4 that could allow a user with local access to execute code on the system.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-10-14
A DLL search path vulnerability was reported in the Lenovo HardwareScan Plugin for the Lenovo Vantage hardware scan feature prior to version 1.0.46.11 that could allow escalation of privilege.
CVSS Score
7.3
EPSS Score
0.002
Published
2020-10-14
An internal security review has identified an unauthenticated remote code execution vulnerability in Cloud Networking Operating System (CNOS)’ optional REST API management interface. This interface is disabled by default and not vulnerable unless enabled. When enabled, it is only vulnerable where attached to a VRF and as allowed by defined ACLs. Lenovo strongly recommends upgrading to a non-vulnerable CNOS release. Where not possible, Lenovo recommends disabling the REST API management interface or restricting access to the management VRF and further limiting access to authorized management stations via ACL.
CVSS Score
9.8
EPSS Score
0.026
Published
2020-10-14
An authentication bypass vulnerability was reported in Lenovo ThinkPad Stack Wireless Router firmware version 1.1.3.4 that could allow escalation of privilege.
CVSS Score
8.8
EPSS Score
0.001
Published
2020-10-14
A reflective cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's browser if a crafted url is visited, possibly through phishing.
CVSS Score
6.1
EPSS Score
0.007
Published
2020-09-24
A DOM-based cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's current browser session if a crafted url is visited, possibly through phishing.
CVSS Score
6.1
EPSS Score
0.005
Published
2020-09-24
A potential vulnerability in the SMI callback function used in the EEPROM driver in some Lenovo Desktops and ThinkStation models may allow arbitrary code execution
CVSS Score
6.4
EPSS Score
0.0
Published
2020-09-24
A cross-site scripting (XSS) vulnerability was discovered in the legacy IBM and Lenovo System x IMM2 (Integrated Management Module 2), prior to version 5.60, embedded Baseboard Management Controller (BMC) web interface during an internal security review. This vulnerability could allow JavaScript code to be executed in the user's web browser if the user is convinced to visit a crafted URL, possibly through phishing. Successful exploitation requires specific knowledge about the user’s network to be included in the crafted URL. Impact is limited to the normal access restrictions and permissions of the user clicking the crafted URL, and subject to the user being able to connect to and already being authenticated to IMM2 or other systems. The JavaScript code is not executed on IMM2 itself.
CVSS Score
6.3
EPSS Score
0.002
Published
2020-09-15
A race condition vulnerability was reported in Lenovo System Update prior to version 5.07.0106 that could allow escalation of privilege.
CVSS Score
7.3
EPSS Score
0.0
Published
2020-09-15
A denial of service vulnerability was reported in the Lenovo Vantage component called Lenovo System Interface Foundation prior to version 1.1.19.5 that could allow configuration files to be written to non-standard locations.
CVSS Score
5.5
EPSS Score
0.0
Published
2020-09-15