Lenovo: Security Vulnerabilities
A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in some IBM servers. An attacker providing a crafted user ID and password combination can cause a portion of the authentication routine to overflow its stack, resulting in stack corruption.
CVSS Score
9.8
EPSS Score
0.006
Published
2018-04-19
Lenovo Help Android mobile app versions earlier than 6.1.2.0327 allowed information to be transmitted over an HTTP channel, permitting others observing the channel to potentially see this information.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-04-19
Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed.
CVSS Score
7.8
EPSS Score
0.002
Published
2018-01-26
In Enterprise Networking Operating System (ENOS) in Lenovo and IBM RackSwitch and BladeCenter products, an authentication bypass known as "HP Backdoor" was discovered during a Lenovo security audit in the serial console, Telnet, SSH, and Web interfaces. This bypass mechanism can be accessed when performing local authentication under specific circumstances. If exploited, admin-level access to the switch is granted.
CVSS Score
7.0
EPSS Score
0.0
Published
2018-01-10
A vulnerability was identified in Lenovo XClarity Administrator (LXCA) before 1.4.0 where LXCA user account names may be exposed to unauthenticated users with access to the LXCA web user interface. No password information of the user accounts is exposed.
CVSS Score
5.3
EPSS Score
0.007
Published
2017-11-30
A local privilege escalation vulnerability was identified in the Realtek audio driver versions prior to 6.0.1.8224 in some Lenovo ThinkPad products. An attacker with local privileges could execute code with administrative privileges.
CVSS Score
7.8
EPSS Score
0.0
Published
2017-11-13
System boot process is not adequately secured In Lenovo E95 and ThinkCentre M710s/M710t because systems were shipped from factory without completing BIOS/UEFI initialization process.
CVSS Score
7.5
EPSS Score
0.002
Published
2017-10-26
Improper access controls on several Android components in the Lenovo Service Framework application can be exploited to enable remote code execution.
CVSS Score
9.8
EPSS Score
0.024
Published
2017-10-17
The Lenovo Service Framework Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
CVSS Score
8.1
EPSS Score
0.014
Published
2017-10-17
The Lenovo Service Framework Android application uses a set of nonsecure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
CVSS Score
8.1
EPSS Score
0.008
Published
2017-10-17