Lenovo: Security Vulnerabilities
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-11-20
A potential vulnerability was reported in Lenovo System Interface Foundation versions before v1.1.18.3 that could allow an authenticated user to execute code as another user.
CVSS Score
8.8
EPSS Score
0.006
Published
2019-11-20
A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-11-20
A potential vulnerability was reported in Lenovo System Interface Foundation versions before v1.1.18.3 that could allow an administrative user to load an unsigned DLL.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-11-20
A potential vulnerability in the discontinued LenovoPaper software version 1.0.0.22 may allow local privilege escalation.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-11-20
A potential vulnerability in the SMI callback function used in the Legacy USB driver using boot services structure in runtime phase in some Lenovo ThinkPad models may allow arbitrary code execution.
CVSS Score
6.4
EPSS Score
0.001
Published
2019-11-12
A potential vulnerability in the SMI callback function used in Legacy USB driver using passed parameter without sufficient checking in some Lenovo ThinkPad models may allow arbitrary code execution.
CVSS Score
6.4
EPSS Score
0.001
Published
2019-11-12
The BIOS tamper detection mechanism was not triggered in Lenovo ThinkPad T460p, BIOS versions up to R07ET90W, and T470p, BIOS versions up to R0FET50W, which may allow for unauthorized access.
CVSS Score
9.8
EPSS Score
0.006
Published
2019-11-12
A denial of service vulnerability was reported in Lenovo System Update versions prior to 5.07.0088 that could allow configuration files to be written to non-standard locations.
CVSS Score
7.5
EPSS Score
0.006
Published
2019-09-26
An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M. This vulnerability allows session IDs to be reused, which could provide unauthorized access to the BMC under certain circumstances. This vulnerability does not affect ThinkSystem XCC, System x IMM2, or other BMCs.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-09-26