27 results (0.004 seconds)

CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0

A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call. • https://support.lenovo.com/us/en/product_security/LEN-154748 • CWE-282: Improper Ownership Management •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

A valid, authenticated LXCA user may be able to unmanage an LXCA managed device in through the LXCA web interface without sufficient privileges. • https://support.lenovo.com/us/en/product_security/LEN-154748 • CWE-282: Improper Ownership Management •

CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0

A privilege escalation vulnerability was discovered when Single Sign On (SSO) is enabled that could allow an attacker to intercept a valid, authenticated LXCA user’s XCC session if they can convince the user to click on a specially crafted URL. • https://support.lenovo.com/us/en/product_security/LEN-154748 • CWE-319: Cleartext Transmission of Sensitive Information •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

A valid authenticated Lenovo XClarity Administrator (LXCA) user can potentially leverage an unauthenticated API endpoint to retrieve system event information. Un usuario válido de Lenovo XClarity Administrator (LXCA) puede aprovechar un endpoint API no autenticado para recuperar información de eventos del sistema. • https://support.lenovo.com/us/en/product_security/LEN-136592 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

A valid, authenticated LXCA user with elevated privileges may be able to delete folders in the LXCA filesystem through a specifically crafted web API call due to insufficient input validation. • https://support.lenovo.com/us/en/product_security/LEN-98715 • CWE-20: Improper Input Validation •