Vulnerabilities > Lenovo

DATE CVE VULNERABILITY TITLE RISK
2018-11-27 CVE-2018-16091 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Lenovo System Management Module Firmware 1.05
In System Management Module (SMM) versions prior to 1.06, the SMM certificate creation and parsing logic is vulnerable to several buffer overflows.
network
high complexity
lenovo CWE-119
8.1
2018-11-27 CVE-2018-16090 OS Command Injection vulnerability in Lenovo System Management Module Firmware 1.05
In System Management Module (SMM) versions prior to 1.06, the SMM certificate creation and parsing logic is vulnerable to post-authentication command injection.
network
high complexity
lenovo CWE-78
7.5
2018-11-27 CVE-2018-16089 OS Command Injection vulnerability in Lenovo System Management Module Firmware 1.05
In System Management Module (SMM) versions prior to 1.06, a field in the header of SMM firmware update images is insufficiently sanitized, allowing post-authentication command injection on the SMM as the root user.
network
high complexity
lenovo CWE-78
7.5
2018-11-16 CVE-2018-9086 OS Command Injection vulnerability in Lenovo products
In some Lenovo ThinkServer-branded servers, a command injection vulnerability exists in the BMC firmware download command.
network
low complexity
lenovo CWE-78
7.2
2018-11-16 CVE-2018-9085 Incorrect Default Permissions vulnerability in multiple products
A write protection lock bit was left unset after boot on an older generation of Lenovo and IBM System x servers, potentially allowing an attacker with administrator access to modify the subset of flash memory containing Intel Server Platform Services (SPS) and the system Flash Descriptors.
network
low complexity
lenovo ibm CWE-276
4.9
2018-11-16 CVE-2018-9073 Use of Hard-coded Credentials vulnerability in Lenovo Chassis Management Module Firmware
Lenovo Chassis Management Module (CMM) prior to version 2.0.0 utilizes a hardcoded encryption key to protect certain secrets.
network
high complexity
lenovo CWE-798
5.9
2018-11-16 CVE-2018-9071 Information Exposure vulnerability in Lenovo Chassis Management Module Firmware
Lenovo Chassis Management Module (CMM) prior to version 2.0.0 allows unauthenticated users to retrieve information related to the current authentication configuration settings.
network
low complexity
lenovo CWE-200
5.3
2018-10-02 CVE-2018-9069 Race Condition vulnerability in multiple products
In some Lenovo IdeaPad consumer notebook models, a race condition in the BIOS flash device locking mechanism is not adequately protected against, potentially allowing an attacker with administrator access to alter the contents of BIOS.
network
high complexity
hp lenovo CWE-362
5.9
2018-09-28 CVE-2018-9082 Session Fixation vulnerability in Lenovo products
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one.
network
low complexity
lenovo CWE-384
8.8
2018-09-28 CVE-2018-9081 Cross-site Scripting vulnerability in Lenovo products
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS.
network
high complexity
lenovo CWE-79
4.7