CVSS: 6.7EPSS: 0%CPEs: 99EXPL: 0CVE-2024-45105
https://notcve.org/view.php?id=CVE-2024-45105
13 Sep 2024 — An internal product security audit discovered a UEFI SMM (System Management Mode) callout vulnerability in some ThinkSystem servers that could allow a local attacker with elevated privileges to execute arbitrary code. • https://support.lenovo.com/us/en/product_security/LEN-165524 • CWE-825: Expired Pointer Dereference •
CVSS: 8.3EPSS: 0%CPEs: 139EXPL: 0CVE-2024-8281
https://notcve.org/view.php?id=CVE-2024-8281
13 Sep 2024 — An input validation weakness was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection through specially crafted command line input in the XCC SSH captive shell. • https://support.lenovo.com/us/en/product_security/LEN-172051 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 139EXPL: 0CVE-2024-8280
https://notcve.org/view.php?id=CVE-2024-8280
13 Sep 2024 — An input validation weakness was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection or cause a recoverable denial of service using a specially crafted file. • https://support.lenovo.com/us/en/product_security/LEN-172051 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 139EXPL: 0CVE-2024-8279
https://notcve.org/view.php?id=CVE-2024-8279
13 Sep 2024 — A privilege escalation vulnerability was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. • https://support.lenovo.com/us/en/product_security/LEN-172051 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 139EXPL: 0CVE-2024-8278
https://notcve.org/view.php?id=CVE-2024-8278
13 Sep 2024 — A privilege escalation vulnerability was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands. • https://support.lenovo.com/us/en/product_security/LEN-172051 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 114EXPL: 0CVE-2023-4608
https://notcve.org/view.php?id=CVE-2023-4608
24 Oct 2023 — An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected. Un usuario de XCC autenticado con privilegios elevados puede realizar una inyección blind SQL en casos limitados a través de un comando API manipulado. Esto afecta a los servidores ThinkSystem v2 y v3 con XCC; Los servidores ThinkSystem v1 no se ven afectados. • https://support.lenovo.com/us/en/product_security/LEN-140960 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 256EXPL: 0CVE-2023-4607
https://notcve.org/view.php?id=CVE-2023-4607
24 Oct 2023 — An authenticated XCC user can change permissions for any user through a crafted API command. Un usuario XCC autenticado puede cambiar los permisos de cualquier usuario mediante un comando API manipulado. • https://support.lenovo.com/us/en/product_security/LEN-140960 • CWE-269: Improper Privilege Management •
CVSS: 8.5EPSS: 0%CPEs: 114EXPL: 0CVE-2023-4606
https://notcve.org/view.php?id=CVE-2023-4606
24 Oct 2023 — An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected. Un usuario XCC autenticado con permiso de solo lectura puede cambiar la contraseña de un usuario diferente mediante un comando API manipulado. Esto afecta a los servidores ThinkSystem v2 y v3 con XCC; Los servidores ThinkSystem v1 no se ven afectados. • https://support.lenovo.com/us/en/product_security/LEN-140960 • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 225EXPL: 0CVE-2023-0683
https://notcve.org/view.php?id=CVE-2023-0683
01 May 2023 — A valid, authenticated XCC user with read only access may gain elevated privileges through a specifically crafted API call. • https://support.lenovo.com/us/en/product_security/LEN-99936 • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 225EXPL: 0CVE-2023-25492
https://notcve.org/view.php?id=CVE-2023-25492
01 May 2023 — A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in a web interface API. • https://support.lenovo.com/us/en/product_security/LEN-99936 • CWE-134: Use of Externally-Controlled Format String •