CVE-2019-6182

A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself.

CVSS v3 4.9 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://support.lenovo.com/solutions/LEN-27805	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lenovo:xclarity_administrator:*:*:*:*:*:*:*:*

History

14 Oct 2022, 03:20

Type	Values Removed	Values Added
CVSS	v2 : ~~4.0~~ v3 : ~~4.4~~	v2 : 4.0 v3 : 4.9

Information

Published : 2019-09-03 19:15

Updated : 2023-12-10 12:59

NVD link : CVE-2019-6182

Mitre link : CVE-2019-6182

CVE.ORG link : CVE-2019-6182

JSON object : View

Products Affected

lenovo

xclarity_administrator

CWE

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

{"id": "CVE-2019-6182", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@lenovo.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2019-09-03T19:15:10.837", "references": [{"url": "https://support.lenovo.com/solutions/LEN-27805", "tags": ["Vendor Advisory"], "source": "psirt@lenovo.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1236"}]}], "descriptions": [{"lang": "en", "value": "A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself."}, {"lang": "es", "value": "Se inform\u00f3 una vulnerabilidad de inyecci\u00f3n CSV almacenada en Lenovo XClarity Administrator (LXCA) en versiones anteriores a la 2.5.0 que podr\u00eda permitir a un usuario administrativo almacenar datos con formato incorrecto en trabajos de LXCA y datos de registro de eventos, lo que podr\u00eda dar como resultado f\u00f3rmulas dise\u00f1adas almacenadas en un archivo CSV exportado. La f\u00f3rmula dise\u00f1ada no se ejecuta en LXCA."}], "lastModified": "2022-10-14T03:20:44.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_administrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "661DC48D-6DFC-4B7E-AF89-DA9FF17E1045", "versionEndExcluding": "2.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@lenovo.com"}