CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-42848
https://notcve.org/view.php?id=CVE-2021-42848
An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details. Se informó de una vulnerabilidad de divulgación de información en algunos dispositivos de Lenovo Personal Cloud Storage que podría permitir a un usuario no autenticado recuperar detalles del dispositivo y de la red • https://iknow.lenovo.com.cn/detail/dc_200017.html • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3969
https://notcve.org/view.php?id=CVE-2021-3969
A Time of Check Time of Use (TOCTOU) vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, prior to version 1.1.20.3that could allow a local attacker to elevate privileges. Se informó de una vulnerabilidad en el tiempo de comprobación del tiempo de uso (TOCTOU) en IMController, un componente de software de Lenovo System Interface Foundation, versiones anteriores a 1.1.20.3, que podría permitir a un atacante local elevar sus privilegios • https://support.lenovo.com/us/en/product_security/LEN-75210 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 5.3EPSS: 0%CPEs: 52EXPL: 0CVE-2021-3956
https://notcve.org/view.php?id=CVE-2021-3956
A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected. Se ha informado de una vulnerabilidad de elusión de autenticación de solo lectura en la versión del tercer trimestre de 2021 del firmware de Lenovo XClarity Controller (XCC) que afecta a los dispositivos XCC configurados en el modo de solo autenticación LDAP y que usan un servidor LDAP que admite €œunauthenticated bindâ€?, como Microsoft Active Directory. • https://support.lenovo.com/us/en/product_security/LEN-72074 • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3922
https://notcve.org/view.php?id=CVE-2021-3922
A race condition vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, prior to version 1.1.20.3 that could allow a local attacker to connect and interact with the IMController child process' named pipe. Se ha informado de una vulnerabilidad de condición de carrera en IMController, un componente de software de Lenovo System Interface Foundation, anterior a la versión 1.1.20.3 que podría permitir a un atacante local conectarse e interactuar con la tubería con nombre del proceso hijo de IMController • https://support.lenovo.com/us/en/product_security/LEN-75210 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2021-3897
https://notcve.org/view.php?id=CVE-2021-3897
An authentication bypass vulnerability was discovered in an internal service of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware during an that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected. Se ha detectado una vulnerabilidad de omisión de autenticación en un servicio interno del firmware de Lenovo Fan Power Controller2 (FPC2) y Lenovo System Management Module (SMM) durante un que podría permitir a un atacante no autenticado ejecutar comandos en el SMM y el FPC2. SMM2 no está afectado • https://support.lenovo.com/us/en/product_security/LEN-72615 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •