Filtered by vendor Lenovo
Subscribe
Total
370 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-34887 | 1 Lenovo | 6 G263dns, G263dns Firmware, Gm265dn and 3 more | 2023-12-10 | N/A | 5.4 MEDIUM |
Standard users can directly operate and set printer configuration information , such as IP, in some Lenovo Printers without having to authenticate with the administrator password. | |||||
CVE-2022-3698 | 1 Lenovo | 2 Diagnostics, Hardwarescan Plugin | 2023-12-10 | N/A | 4.4 MEDIUM |
A denial of service vulnerability was reported in the Lenovo HardwareScanPlugin versions prior to 1.3.1.2 and Lenovo Diagnostics versions prior to 4.45 that could allow a local user with administrative access to trigger a system crash. | |||||
CVE-2022-3743 | 1 Lenovo | 174 Ideapad 1-14ijl7, Ideapad 1-14ijl7 Firmware, Ideapad 1-15ijl7 and 171 more | 2023-12-10 | N/A | 4.4 MEDIUM |
A potential vulnerability was discovered in LCFC BIOS for some Lenovo consumer notebook models that could allow a local attacker with elevated privileges under certain conditions the ability to enumerate Embedded Controller (EC) commands. | |||||
CVE-2022-3429 | 1 Lenovo | 6 G263dns, G263dns Firmware, Gm265dn and 3 more | 2023-12-10 | N/A | 6.5 MEDIUM |
A denial-of-service vulnerability was found in the firmware used in Lenovo printers, where users send illegal or malformed strings to an open port, triggering a denial of service that causes a display error and prevents the printer from functioning properly. | |||||
CVE-2022-0353 | 1 Lenovo | 3 Diagnostics, Hardwarescan Addin, Hardwarescan Plugin | 2023-12-10 | N/A | 4.4 MEDIUM |
A denial of service vulnerability was reported in the Lenovo HardwareScanPlugin versions prior to 1.3.1.2 and Lenovo Diagnostics versions prior to 4.45 that could allow a local user with administrative access to trigger a system crash. | |||||
CVE-2023-0896 | 1 Lenovo | 2 Smart Clock Essential With Alexa Built In, Smart Clock Essential With Alexa Built In Firmware | 2023-12-10 | N/A | 8.8 HIGH |
A default password was reported in Lenovo Smart Clock Essential with Alexa Built In that could allow unauthorized device access to an attacker with local network access. | |||||
CVE-2023-2993 | 1 Lenovo | 16 Nextscale N1200 Enclosure, Nextscale N1200 Enclosure Firmware, Thinkagile Cp-cb-10 and 13 more | 2023-12-10 | N/A | 6.3 MEDIUM |
A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute. | |||||
CVE-2023-25495 | 1 Lenovo | 218 Thinkagile Hx1021, Thinkagile Hx1021 Firmware, Thinkagile Hx1320 and 215 more | 2023-12-10 | N/A | 4.9 MEDIUM |
A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password is configured | |||||
CVE-2022-48188 | 1 Lenovo | 54 Ideacentre 510s-07icb, Ideacentre 510s-07icb Firmware, Ideacentre 510s-07ick and 51 more | 2023-12-10 | N/A | 7.8 HIGH |
A buffer overflow vulnerability in the SecureBootDXE BIOS driver of some Lenovo Desktop and ThinkStation models could allow an attacker with local access to elevate their privileges to execute arbitrary code. | |||||
CVE-2022-4568 | 1 Lenovo | 1 System Update | 2023-12-10 | N/A | 7.8 HIGH |
A directory permissions management vulnerability in Lenovo System Update may allow elevation of privileges. | |||||
CVE-2023-2992 | 1 Lenovo | 16 Nextscale N1200 Enclosure, Nextscale N1200 Enclosure Firmware, Thinkagile Cp-cb-10 and 13 more | 2023-12-10 | N/A | 7.5 HIGH |
An unauthenticated denial of service vulnerability exists in the SMM v1, SMM v2, and FPC management web server which can be triggered under crafted conditions. Rebooting SMM or FPC will restore access to the management web server. | |||||
CVE-2022-48186 | 1 Lenovo | 1 Baiying | 2023-12-10 | N/A | 7.5 HIGH |
A certificate validation vulnerability exists in the Baiying Android application which could lead to information disclosure. | |||||
CVE-2023-29056 | 1 Lenovo | 218 Thinkagile Hx1021, Thinkagile Hx1021 Firmware, Thinkagile Hx1320 and 215 more | 2023-12-10 | N/A | 5.9 MEDIUM |
A valid LDAP user, under specific conditions, will default to read-only permissions when authenticating into XCC. To be vulnerable, XCC must be configured to use an LDAP server for Authentication/Authorization and have the login permission attribute not defined. | |||||
CVE-2023-2290 | 1 Lenovo | 170 Thinkpad E14, Thinkpad E14 Firmware, Thinkpad E14 Gen 2 and 167 more | 2023-12-10 | N/A | 6.7 MEDIUM |
A potential vulnerability in the LenovoFlashDeviceInterface SMI handler may allow an attacker with local access and elevated privileges to execute arbitrary code. | |||||
CVE-2023-34421 | 1 Lenovo | 1 Xclarity Administrator | 2023-12-10 | N/A | 6.5 MEDIUM |
A valid, authenticated LXCA user with elevated privileges may be able to replace filesystem data through a specifically crafted web API call due to insufficient input validation. | |||||
CVE-2023-34422 | 1 Lenovo | 1 Xclarity Administrator | 2023-12-10 | N/A | 6.5 MEDIUM |
A valid, authenticated LXCA user with elevated privileges may be able to delete folders in the LXCA filesystem through a specifically crafted web API call due to insufficient input validation. | |||||
CVE-2023-34418 | 1 Lenovo | 1 Xclarity Administrator | 2023-12-10 | N/A | 8.1 HIGH |
A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API. | |||||
CVE-2023-29058 | 1 Lenovo | 218 Thinkagile Hx1021, Thinkagile Hx1021 Firmware, Thinkagile Hx1320 and 215 more | 2023-12-10 | N/A | 6.5 MEDIUM |
A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions. | |||||
CVE-2022-48181 | 1 Lenovo | 228 Ideacentre 3-07ada05, Ideacentre 3-07ada05 Firmware, Ideacentre 3-07imb05 and 225 more | 2023-12-10 | N/A | 7.8 HIGH |
An ErrorMessage driver stack-based buffer overflow vulnerability in BIOS of some ThinkPad models could allow an attacker with local access to elevate their privileges and execute arbitrary code. | |||||
CVE-2023-29057 | 1 Lenovo | 218 Thinkagile Hx1021, Thinkagile Hx1021 Firmware, Thinkagile Hx1320 and 215 more | 2023-12-10 | N/A | 8.8 HIGH |
A valid XCC user's local account permissions overrides their active directory permissions under specific configurations. This could lead to a privilege escalation. To be vulnerable, LDAP must be configured for authentication/authorization and logins configured as “Local First, then LDAP”. |