Vulnerabilites related to Lenovo - Lenovo XClarity Controller (XCC)
cve-2023-4607
Vulnerability from cvelistv5
Published
2023-10-24 20:25
Modified
2024-12-03 14:39
Severity ?
EPSS score ?
Summary
An authenticated XCC user can change permissions for any user through a crafted API command.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Lenovo | Lenovo XClarity Controller (XCC) |
Version: various |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.lenovo.com/us/en/product_security/LEN-140960"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4607",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:25:31.488912Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T14:39:50.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Lenovo XClarity Controller (XCC)",
"vendor": "Lenovo",
"versions": [
{
"status": "affected",
"version": "various"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated XCC user can change permissions for any user through a crafted API command."
}
],
"value": "An authenticated XCC user can change permissions for any user through a crafted API command."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T20:25:30.100Z",
"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"shortName": "lenovo"
},
"references": [
{
"url": "https://support.lenovo.com/us/en/product_security/LEN-140960"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to the product version (or newer) indicated for your model in the advisory: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/LEN-140960\"\u003ehttps://support.lenovo.com/us/en/product_security/LEN-140960\u003c/a\u003e"
}
],
"value": "Upgrade to the product version (or newer) indicated for your model in the advisory: https://support.lenovo.com/us/en/product_security/LEN-140960 "
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"assignerShortName": "lenovo",
"cveId": "CVE-2023-4607",
"datePublished": "2023-10-24T20:25:30.100Z",
"dateReserved": "2023-08-29T15:54:55.201Z",
"dateUpdated": "2024-12-03T14:39:50.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-4606
Vulnerability from cvelistv5
Published
2023-10-24 20:25
Modified
2024-09-11 18:24
Severity ?
EPSS score ?
Summary
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.
This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Lenovo | Lenovo XClarity Controller (XCC) |
Version: various |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.lenovo.com/us/en/product_security/LEN-140960"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:24:35.166486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:24:50.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Lenovo XClarity Controller (XCC)",
"vendor": "Lenovo",
"versions": [
{
"status": "affected",
"version": "various"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated XCC user with Read-Only permission can change a different user\u2019s password through a crafted API command.\u0026nbsp;\u0026nbsp;\n\nThis affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected."
}
],
"value": "An authenticated XCC user with Read-Only permission can change a different user\u2019s password through a crafted API command.\u00a0\u00a0\n\nThis affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T20:25:09.243Z",
"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"shortName": "lenovo"
},
"references": [
{
"url": "https://support.lenovo.com/us/en/product_security/LEN-140960"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to the product version (or newer) indicated for your model in the advisory:\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/LEN-140960\"\u003ehttps://support.lenovo.com/us/en/product_security/LEN-140960\u003c/a\u003e"
}
],
"value": "Upgrade to the product version (or newer) indicated for your model in the advisory:\u00a0 https://support.lenovo.com/us/en/product_security/LEN-140960 "
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"assignerShortName": "lenovo",
"cveId": "CVE-2023-4606",
"datePublished": "2023-10-24T20:25:09.243Z",
"dateReserved": "2023-08-29T15:54:54.303Z",
"dateUpdated": "2024-09-11T18:24:50.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-4608
Vulnerability from cvelistv5
Published
2023-10-24 20:25
Modified
2024-09-11 20:38
Severity ?
EPSS score ?
Summary
An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command.
This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Lenovo | Lenovo XClarity Controller (XCC) |
Version: various |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.lenovo.com/us/en/product_security/LEN-140960"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T20:37:37.552701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T20:38:29.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Lenovo XClarity Controller (XCC)",
"vendor": "Lenovo",
"versions": [
{
"status": "affected",
"version": "various"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command.\u0026nbsp;\n\nThis affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected."
}
],
"value": "An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command.\u00a0\n\nThis affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T20:25:49.416Z",
"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"shortName": "lenovo"
},
"references": [
{
"url": "https://support.lenovo.com/us/en/product_security/LEN-140960"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to the product version (or newer) indicated for your model in the advisory: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/LEN-140960\"\u003ehttps://support.lenovo.com/us/en/product_security/LEN-140960\u003c/a\u003e"
}
],
"value": "Upgrade to the product version (or newer) indicated for your model in the advisory: https://support.lenovo.com/us/en/product_security/LEN-140960 "
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"assignerShortName": "lenovo",
"cveId": "CVE-2023-4608",
"datePublished": "2023-10-24T20:25:49.416Z",
"dateReserved": "2023-08-29T15:54:56.119Z",
"dateUpdated": "2024-09-11T20:38:29.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-6187
Vulnerability from cvelistv5
Published
2019-11-20 01:31
Modified
2024-09-17 00:50
Severity ?
EPSS score ?
Summary
A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.lenovo.com/solutions/LEN-29118 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Lenovo | Lenovo XClarity Controller (XCC) |
Version: unspecified < TEI392M Version: unspecified < CDI340M Version: unspecified < G1I312 Version: unspecified < PSI328M |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:16:24.496Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.lenovo.com/solutions/LEN-29118"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Lenovo XClarity Controller (XCC)",
"vendor": "Lenovo",
"versions": [
{
"lessThan": "TEI392M",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "CDI340M",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "G1I312",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "PSI328M",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-11-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "arbitrary eode execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-20T01:31:13",
"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"shortName": "lenovo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.lenovo.com/solutions/LEN-29118"
}
],
"solutions": [
{
"lang": "en",
"value": "Update LXCC to the version indicated for your product."
}
],
"source": {
"advisory": "LEN-29118",
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@lenovo.com",
"DATE_PUBLIC": "2019-11-19T17:00:00.000Z",
"ID": "CVE-2019-6187",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lenovo XClarity Controller (XCC)",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "TEI392M"
},
{
"version_affected": "\u003c",
"version_value": "CDI340M"
},
{
"version_affected": "\u003c",
"version_value": "G1I312"
},
{
"version_affected": "\u003c",
"version_value": "PSI328M"
}
]
}
}
]
},
"vendor_name": "Lenovo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "arbitrary eode execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.lenovo.com/solutions/LEN-29118",
"refsource": "MISC",
"url": "https://support.lenovo.com/solutions/LEN-29118"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update LXCC to the version indicated for your product."
}
],
"source": {
"advisory": "LEN-29118",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"assignerShortName": "lenovo",
"cveId": "CVE-2019-6187",
"datePublished": "2019-11-20T01:31:13.802773Z",
"dateReserved": "2019-01-11T00:00:00",
"dateUpdated": "2024-09-17T00:50:51.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}