CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34421
https://notcve.org/view.php?id=CVE-2023-34421
26 Jun 2023 — A valid, authenticated LXCA user with elevated privileges may be able to replace filesystem data through a specifically crafted web API call due to insufficient input validation. • https://support.lenovo.com/us/en/product_security/LEN-98715 • CWE-20: Improper Input Validation •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34420
https://notcve.org/view.php?id=CVE-2023-34420
26 Jun 2023 — A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API. • https://support.lenovo.com/us/en/product_security/LEN-98715 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34418
https://notcve.org/view.php?id=CVE-2023-34418
26 Jun 2023 — A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API. • https://support.lenovo.com/us/en/product_security/LEN-98715 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3113
https://notcve.org/view.php?id=CVE-2023-3113
26 Jun 2023 — An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files. • https://support.lenovo.com/us/en/product_security/LEN-98715 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.5EPSS: 0%CPEs: 16EXPL: 0CVE-2023-2993
https://notcve.org/view.php?id=CVE-2023-2993
26 Jun 2023 — A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute. • https://support.lenovo.com/us/en/product_security/LEN-127357 • CWE-281: Improper Preservation of Permissions •
CVSS: 7.8EPSS: 0%CPEs: 16EXPL: 0CVE-2023-2992
https://notcve.org/view.php?id=CVE-2023-2992
26 Jun 2023 — An unauthenticated denial of service vulnerability exists in the SMM v1, SMM v2, and FPC management web server which can be triggered under crafted conditions. Rebooting SMM or FPC will restore access to the management web server. • https://support.lenovo.com/us/en/product_security/LEN-127357 • CWE-400: Uncontrolled Resource Consumption CWE-405: Asymmetric Resource Consumption (Amplification) •
CVSS: 6.7EPSS: 0%CPEs: 226EXPL: 0CVE-2023-2290
https://notcve.org/view.php?id=CVE-2023-2290
26 Jun 2023 — A potential vulnerability in the LenovoFlashDeviceInterface SMI handler may allow an attacker with local access and elevated privileges to execute arbitrary code. • https://support.lenovo.com/us/en/product_security/LEN-106014 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 62EXPL: 0CVE-2022-48188
https://notcve.org/view.php?id=CVE-2022-48188
05 Jun 2023 — A buffer overflow vulnerability in the SecureBootDXE BIOS driver of some Lenovo Desktop and ThinkStation models could allow an attacker with local access to elevate their privileges to execute arbitrary code. • https://support.lenovo.com/us/en/product_security/LEN-124495 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 244EXPL: 0CVE-2022-48181
https://notcve.org/view.php?id=CVE-2022-48181
05 Jun 2023 — An ErrorMessage driver stack-based buffer overflow vulnerability in BIOS of some ThinkPad models could allow an attacker with local access to elevate their privileges and execute arbitrary code. • https://support.lenovo.com/us/en/product_security/LEN-124495 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-4569
https://notcve.org/view.php?id=CVE-2022-4569
05 Jun 2023 — A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation. • https://support.lenovo.com/us/en/product_security/LEN-103544 • CWE-276: Incorrect Default Permissions •