Filtered by vendor Lenovo
Subscribe
Total
297 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-6044 | 1 Lenovo | 1 Vantage | 2024-02-05 | N/A | 6.8 MEDIUM |
A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker with physical access to impersonate Lenovo Vantage Service and execute arbitrary code with elevated privileges. | |||||
CVE-2023-6450 | 1 Lenovo | 1 App Store | 2024-02-05 | N/A | 5.5 MEDIUM |
An incorrect permissions vulnerability was reported in the Lenovo App Store app that could allow an attacker to use system resources, resulting in a denial of service. | |||||
CVE-2023-4706 | 1 Lenovo | 1 Preload Directory | 2024-02-05 | N/A | 7.8 HIGH |
A privilege escalation vulnerability was reported in Lenovo preloaded devices deployed using Microsoft AutoPilot under a standard user account due to incorrect default privileges. | |||||
CVE-2023-6043 | 1 Lenovo | 1 Vantage | 2024-02-05 | N/A | 7.8 HIGH |
A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker to bypass integrity checks and execute arbitrary code with elevated privileges. | |||||
CVE-2023-5079 | 1 Lenovo | 1 Lecloud | 2024-02-05 | N/A | 7.5 HIGH |
Lenovo LeCloud App improper input validation allows attackers to access arbitrary components and arbitrary file downloads, which could result in information disclosure. | |||||
CVE-2023-5080 | 1 Lenovo | 12 Tab M10 Plus Gen 3 Tb125fu, Tab M10 Plus Gen 3 Tb125fu Firmware, Tab M8 Hd Tb8505f and 9 more | 2024-02-05 | N/A | 7.8 HIGH |
A privilege escalation vulnerability was reported in some Lenovo tablet products that could allow local applications access to device identifiers and system commands. | |||||
CVE-2023-5081 | 1 Lenovo | 8 Tab M8 Hd Tb8505f, Tab M8 Hd Tb8505f Firmware, Tab M8 Hd Tb8505fs and 5 more | 2024-02-05 | N/A | 3.3 LOW |
An information disclosure vulnerability was reported in the Lenovo Tab M8 HD that could allow a local application to gather a non-resettable device identifier. | |||||
CVE-2023-29057 | 1 Lenovo | 218 Thinkagile Hx1021, Thinkagile Hx1021 Firmware, Thinkagile Hx1320 and 215 more | 2024-02-04 | N/A | 8.8 HIGH |
A valid XCC user's local account permissions overrides their active directory permissions under specific configurations. This could lead to a privilege escalation. To be vulnerable, LDAP must be configured for authentication/authorization and logins configured as “Local First, then LDAP”. | |||||
CVE-2023-0896 | 1 Lenovo | 2 Smart Clock Essential With Alexa Built In, Smart Clock Essential With Alexa Built In Firmware | 2024-02-04 | N/A | 8.8 HIGH |
A default password was reported in Lenovo Smart Clock Essential with Alexa Built In that could allow unauthorized device access to an attacker with local network access. | |||||
CVE-2022-48181 | 1 Lenovo | 228 Ideacentre 3-07ada05, Ideacentre 3-07ada05 Firmware, Ideacentre 3-07imb05 and 225 more | 2024-02-04 | N/A | 7.8 HIGH |
An ErrorMessage driver stack-based buffer overflow vulnerability in BIOS of some ThinkPad models could allow an attacker with local access to elevate their privileges and execute arbitrary code. | |||||
CVE-2023-34421 | 1 Lenovo | 1 Xclarity Administrator | 2024-02-04 | N/A | 6.5 MEDIUM |
A valid, authenticated LXCA user with elevated privileges may be able to replace filesystem data through a specifically crafted web API call due to insufficient input validation. | |||||
CVE-2023-34418 | 1 Lenovo | 1 Xclarity Administrator | 2024-02-04 | N/A | 8.1 HIGH |
A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API. | |||||
CVE-2022-4569 | 1 Lenovo | 2 Thinkpad Hybrid Usb-c With Usb-a Dock, Thinkpad Hybrid Usb-c With Usb-a Dock Firmware | 2024-02-04 | N/A | 7.8 HIGH |
A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation. | |||||
CVE-2023-25495 | 1 Lenovo | 218 Thinkagile Hx1021, Thinkagile Hx1021 Firmware, Thinkagile Hx1320 and 215 more | 2024-02-04 | N/A | 4.9 MEDIUM |
A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password is configured | |||||
CVE-2023-34420 | 1 Lenovo | 1 Xclarity Administrator | 2024-02-04 | N/A | 7.2 HIGH |
A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API. | |||||
CVE-2023-34422 | 1 Lenovo | 1 Xclarity Administrator | 2024-02-04 | N/A | 6.5 MEDIUM |
A valid, authenticated LXCA user with elevated privileges may be able to delete folders in the LXCA filesystem through a specifically crafted web API call due to insufficient input validation. | |||||
CVE-2023-29058 | 1 Lenovo | 218 Thinkagile Hx1021, Thinkagile Hx1021 Firmware, Thinkagile Hx1320 and 215 more | 2024-02-04 | N/A | 6.5 MEDIUM |
A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions. | |||||
CVE-2023-25492 | 1 Lenovo | 218 Thinkagile Hx1021, Thinkagile Hx1021 Firmware, Thinkagile Hx1320 and 215 more | 2024-02-04 | N/A | 8.8 HIGH |
A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in a web interface API. | |||||
CVE-2023-2993 | 1 Lenovo | 16 Nextscale N1200 Enclosure, Nextscale N1200 Enclosure Firmware, Thinkagile Cp-cb-10 and 13 more | 2024-02-04 | N/A | 6.3 MEDIUM |
A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute. | |||||
CVE-2022-48186 | 1 Lenovo | 1 Baiying | 2024-02-04 | N/A | 7.5 HIGH |
A certificate validation vulnerability exists in the Baiying Android application which could lead to information disclosure. |