CVSS: 4.4EPSS: 0%CPEs: 673EXPL: 0CVE-2022-40134
https://notcve.org/view.php?id=CVE-2022-40134
30 Jan 2023 — An information leak vulnerability in the SMI Set BIOS Password SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to read SMM memory. • https://support.lenovo.com/us/en/product_security/LEN-94953 • CWE-125: Out-of-bounds Read •
CVSS: 4.9EPSS: 0%CPEs: 66EXPL: 0CVE-2021-3473
https://notcve.org/view.php?id=CVE-2021-3473
13 Apr 2021 — An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC ser... • https://support.lenovo.com/us/en/product_security/LEN-52117 • CWE-312: Cleartext Storage of Sensitive Information CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 4.8EPSS: 0%CPEs: 45EXPL: 0CVE-2019-6195
https://notcve.org/view.php?id=CVE-2019-6195
14 Feb 2020 — An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication a... • https://support.lenovo.com/us/en/product_security/LEN-29116 • CWE-264: Permissions, Privileges, and Access Controls CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 45EXPL: 0CVE-2019-6187
https://notcve.org/view.php?id=CVE-2019-6187
20 Nov 2019 — A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server. Se reportó una vulnerabilidad de inyección CSV almacenada en Lenovo XClarity Controller (XCC) lo que podría permitir a un u... • https://support.lenovo.com/solutions/LEN-29118 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •