CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38512
https://notcve.org/view.php?id=CVE-2024-38512
26 Jul 2024 — A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands. • https://support.lenovo.com/us/en/product_security/LEN-156781 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38511
https://notcve.org/view.php?id=CVE-2024-38511
26 Jul 2024 — A privilege escalation vulnerability was discovered in an upload processing functionality of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. • https://support.lenovo.com/us/en/product_security/LEN-156781 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38510
https://notcve.org/view.php?id=CVE-2024-38510
26 Jul 2024 — A privilege escalation vulnerability was discovered in the SSH captive command shell interface that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. • https://support.lenovo.com/us/en/product_security/LEN-156781 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38509
https://notcve.org/view.php?id=CVE-2024-38509
26 Jul 2024 — A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to execute arbitrary code via a specially crafted IPMI command. • https://support.lenovo.com/us/en/product_security/LEN-156781 • CWE-121: Stack-based Buffer Overflow •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38508
https://notcve.org/view.php?id=CVE-2024-38508
26 Jul 2024 — A privilege escalation vulnerability was discovered in the web interface or SSH captive command shell interface of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via a specially crafted request. • https://support.lenovo.com/us/en/product_security/LEN-156781 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 52EXPL: 0CVE-2021-3956
https://notcve.org/view.php?id=CVE-2021-3956
18 May 2022 — A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authenticatio... • https://support.lenovo.com/us/en/product_security/LEN-72074 • CWE-863: Incorrect Authorization •
CVSS: 4.9EPSS: 0%CPEs: 66EXPL: 0CVE-2021-3473
https://notcve.org/view.php?id=CVE-2021-3473
13 Apr 2021 — An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC ser... • https://support.lenovo.com/us/en/product_security/LEN-52117 • CWE-312: Cleartext Storage of Sensitive Information CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 4.8EPSS: 0%CPEs: 45EXPL: 0CVE-2019-6195
https://notcve.org/view.php?id=CVE-2019-6195
14 Feb 2020 — An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication a... • https://support.lenovo.com/us/en/product_security/LEN-29116 • CWE-264: Permissions, Privileges, and Access Controls CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 45EXPL: 0CVE-2019-6187
https://notcve.org/view.php?id=CVE-2019-6187
20 Nov 2019 — A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server. Se reportó una vulnerabilidad de inyección CSV almacenada en Lenovo XClarity Controller (XCC) lo que podría permitir a un u... • https://support.lenovo.com/solutions/LEN-29118 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 9.8EPSS: 1%CPEs: 67EXPL: 0CVE-2017-17833 – openslp: Heap memory corruption in slpd/slpd_process.c allows denial of service or potentially code execution
https://notcve.org/view.php?id=CVE-2017-17833
23 Apr 2018 — OpenSLP releases in the 1.0.2 and 1.1.0 code streams have a heap-related memory corruption issue which may manifest itself as a denial-of-service or a remote code-execution vulnerability. Las versiones de OpenSLP en las secuencias de código 1.0.2 y 1.1.0 tienen un problema de corrupción de memoria relacionada con la memoria dinámica (heap), que puede manifestarse como una vulnerabilidad de denegación de servicio (DoS) o de ejecución remota de código. A use-after-free flaw in OpenSLP 1.x and 2.x baselines wa... • http://support.lenovo.com/us/en/solutions/LEN-18247 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-416: Use After Free •