Lenovo: Security Vulnerabilities
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered Windows OS credentials, used to perform driver updates of managed systems, being written to a log file in clear text. This only affects LXCA version 2.6.0 when performing a Windows driver update. Affected logs are only accessible to authorized users in the First Failure Data Capture (FFDC) service log and log files on LXCA.
CVSS Score
7.9
EPSS Score
0.001
Published
2020-03-13
An information disclosure vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow unauthenticated access to some configuration files which may contain usernames, license keys, IP addresses, and encrypted password hashes.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-02-14
An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow information disclosure.
CVSS Score
5.7
EPSS Score
0.003
Published
2020-02-14
An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.
CVSS Score
4.8
EPSS Score
0.001
Published
2020-02-14
Lenovo was notified of a potential denial of service vulnerability, affecting various versions of BIOS for Lenovo Desktop, Desktop - All in One, and ThinkStation, that could cause PCRs to be cleared intermittently after resuming from sleep (S3) on systems with Intel TXT enabled.
CVSS Score
5.0
EPSS Score
0.001
Published
2020-02-14
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered a Document Object Model (DOM) based cross-site scripting vulnerability in versions prior to 2.6.6 that could allow JavaScript code to be executed in the user's web browser if a specially crafted link is visited. The JavaScript code is executed on the user's system, not executed on LXCA itself.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-02-14
A vulnerability in the web interface of Lenovo EZ Media & Backup Center, ix2 & ix2-dl version 4.1.406.34763 and prior could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-02-14
A denial of service vulnerability has been reported in Lenovo Energy Management Driver for Windows 10 versions prior to 15.11.29.7 that could cause systems to experience a blue screen error. Lenovo Energy Management is a client utility. Lenovo XClarity Energy Manager is not affected.
CVSS Score
7.5
EPSS Score
0.006
Published
2019-12-10
A potential vulnerability has been reported in Lenovo Power Management Driver versions prior to 1.67.17.48 leading to a buffer overflow which could cause a denial of service.
CVSS Score
4.4
EPSS Score
0.021
Published
2019-12-10
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVSS Score
7.5
EPSS Score
0.005
Published
2019-11-20