| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A valid, authenticated XCC user with read only access may gain elevated privileges through a specifically crafted API call. |
| A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation. |
| An ErrorMessage driver stack-based buffer overflow vulnerability in BIOS of some ThinkPad models could allow an attacker with local access to elevate their privileges and execute arbitrary code. |
| A buffer overflow vulnerability in the SecureBootDXE BIOS driver of some Lenovo Desktop and ThinkStation models could allow an attacker with local access to elevate their privileges to execute arbitrary code. |
| A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call. |
| A valid, authenticated LXCA user may be able to unmanage an LXCA managed device in through the LXCA web interface without sufficient privileges. |
| A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API. |
| A potential vulnerability in the LenovoFlashDeviceInterface SMI handler may allow an attacker with local access and elevated privileges to execute arbitrary code. |
| An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files. |
| A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API. |
| An authenticated XCC user can change permissions for any user through a crafted API command. |
| An incorrect permissions vulnerability was reported in the Lenovo App Store app that could allow an attacker to use system resources, resulting in a denial of service. |
| Lenovo LeCloud App improper input validation allows attackers to access arbitrary components and arbitrary file downloads, which could result in information disclosure.
|
| A vulnerability was reported in some ThinkPad BIOS that could allow a physical or local attacker with elevated privileges to tamper with BIOS firmware. |
| A buffer overflow was reported in the FmpSipoCapsuleDriver driver in the IdeaPad Duet 3-10IGL5 that may allow a local attacker with elevated privileges to execute arbitrary code. |
|
A potential use-after-free vulnerability was reported in the Lenovo View driver that could result in denial of service.
|
|
A privilege escalation vulnerability was reported in Lenovo preloaded devices deployed using Microsoft AutoPilot under a standard user account due to incorrect default privileges.
|
| An uncontrolled search path vulnerability was reported in Lenovo System Update that could allow an attacker with local access to execute code with elevated privileges. |
| An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command.
This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected. |
| An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.
This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected. |
