Vulnerabilities > CVE-2019-6187 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Lenovo Xclarity Controller

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

lenovo

CWE-1236

NVD

Published: 2019-11-20

Updated: 2020-08-24

Summary

A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server.

Vulnerable Configurations

Part	Description	Count
Application	Lenovo Lenovo Xclarity Controller - Lenovo Xclarity Controller 1.10_Tgbt12Q Lenovo Xclarity Controller 1.51_Tgbt24L Lenovo Xclarity Controller 1.71_Psi328N Lenovo Xclarity Controller 2.14_Psi338I Lenovo Xclarity Controller 2.32_Psi342N Lenovo Xclarity Controller 3.01_Tei392O Lenovo Xclarity Controller 3.08_Cdi340V Lenovo Xclarity Controller 3.41_Tei382M Lenovo Xclarity Controller 4.40_Tei3B2P Lenovo Xclarity Controller 4.83_Tei3C0N Lenovo Xclarity Controller 6.00_Cdi370Q Lenovo Xclarity Controller 7.22_Cdi382O Lenovo Xclarity Controller Cdi340M Lenovo Xclarity Controller G1I312 Lenovo Xclarity Controller Psi328M	16
Hardware	Lenovo Lenovo Thinkagile 7X82 - Lenovo Thinkagile 7Y11 - Lenovo Thinkagile 7Y12 - Lenovo Thinkagile 7Y88 - Lenovo Thinkagile 7Y92 - Lenovo Thinkagile 7Z03 - Lenovo Thinksystem Sd530 - Lenovo Thinksystem Sd650 - Lenovo Thinksystem Sn550 - Lenovo Thinksystem Sn850 - Lenovo Thinksystem Sr150 - Lenovo Thinksystem Sr158 - Lenovo Thinksystem Sr250 - Lenovo Thinksystem Sr258 - Lenovo Thinksystem Sr850 - Lenovo Thinksystem Sr860 - Lenovo Thinksystem St250 - Lenovo Thinksystem St258 - Lenovo Thinkagile 7D1H - Lenovo Thinkagile 7X83 - Lenovo Thinkagile 7Y13 - Lenovo Thinkagile 7Y14 - Lenovo Thinkagile 7Y90 - Lenovo Thinkagile 7Y93 - Lenovo Thinkagile 7Y94 - Lenovo Thinkagile 7Z04 - Lenovo Thinkagile 7Z05 - Lenovo Thinkagile 7Z06 - Lenovo Thinkagile 7Z07 - Lenovo Thinkagile 7Z20 - Lenovo Thinkagile Yx84 - Lenovo Thinksystem Sr530 - Lenovo Thinksystem Sr550 - Lenovo Thinksystem Sr570 - Lenovo Thinksystem Sr590 - Lenovo Thinksystem Sr630 - Lenovo Thinksystem Sr650 - Lenovo Thinksystem St550 - Lenovo Thinksystem St558 - Lenovo Thinksystem Sr670 - Lenovo Thinksystem Sr950 -	41

Common Weakness Enumeration (CWE)

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

References

https://support.lenovo.com/solutions/LEN-29118