Lenovo: Security Vulnerabilities
An information disclosure vulnerability has been identified in the Lenovo App Store which may allow some applications to gain unauthorized access to sensitive user data used by other unrelated applications.
CVSS Score
7.6
EPSS Score
0.001
Published
2023-10-27
A Time of Check Time of Use (TOCTOU) vulnerability was reported in the Lenovo Vantage SystemUpdate Plugin version 2.0.0.212 and earlier that could allow a local attacker to delete arbitrary files.
CVSS Score
6.1
EPSS Score
0.0
Published
2023-10-27
A privilege elevation vulnerability was reported in the Lenovo Vantage SystemUpdate plugin version 2.0.0.212 and earlier that could allow a local attacker to execute arbitrary code with elevated privileges.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-10-27
A denial of service vulnerability was reported in Lenovo Vantage HardwareScan Plugin version 1.3.0.5 and earlier that could allow a local attacker to delete contents of an arbitrary directory under certain conditions.
CVSS Score
6.1
EPSS Score
0.0
Published
2023-10-27
A denial-of-service vulnerability was found in the firmware used in Lenovo printers, where users send illegal or malformed strings to an open port, triggering a denial of service that causes a display error and prevents the printer from functioning properly.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-10-27
A remote code execution vulnerability was found in the firmware used in some Lenovo printers, which can be caused by a remote user pushing an illegal string to the server-side interface via a script, resulting in a stack overflow.
CVSS Score
8.8
EPSS Score
0.071
Published
2023-10-27
Standard users can directly operate and set printer configuration information , such as IP, in some Lenovo Printers without having to authenticate with the administrator password.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-10-27
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.
This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
CVSS Score
8.1
EPSS Score
0.001
Published
2023-10-25
An authenticated XCC user can change permissions for any user through a crafted API command.
CVSS Score
7.5
EPSS Score
0.002
Published
2023-10-25
An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command.
This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
CVSS Score
4.1
EPSS Score
0.001
Published
2023-10-25