CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34420
https://notcve.org/view.php?id=CVE-2023-34420
A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API. • https://support.lenovo.com/us/en/product_security/LEN-98715 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34418
https://notcve.org/view.php?id=CVE-2023-34418
A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API. • https://support.lenovo.com/us/en/product_security/LEN-98715 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3113
https://notcve.org/view.php?id=CVE-2023-3113
An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files. • https://support.lenovo.com/us/en/product_security/LEN-98715 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.3EPSS: 0%CPEs: 16EXPL: 0CVE-2023-2993
https://notcve.org/view.php?id=CVE-2023-2993
A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute. • https://support.lenovo.com/us/en/product_security/LEN-127357 • CWE-281: Improper Preservation of Permissions •
CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 0CVE-2023-2992
https://notcve.org/view.php?id=CVE-2023-2992
An unauthenticated denial of service vulnerability exists in the SMM v1, SMM v2, and FPC management web server which can be triggered under crafted conditions. Rebooting SMM or FPC will restore access to the management web server. • https://support.lenovo.com/us/en/product_security/LEN-127357 • CWE-400: Uncontrolled Resource Consumption CWE-405: Asymmetric Resource Consumption (Amplification) •