Vulnerabilities > Lenovo
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-11-16 | CVE-2018-9071 | Information Exposure vulnerability in Lenovo Chassis Management Module Firmware Lenovo Chassis Management Module (CMM) prior to version 2.0.0 allows unauthenticated users to retrieve information related to the current authentication configuration settings. | 5.3 |
| 2018-10-02 | CVE-2018-9069 | Race Condition vulnerability in multiple products In some Lenovo IdeaPad consumer notebook models, a race condition in the BIOS flash device locking mechanism is not adequately protected against, potentially allowing an attacker with administrator access to alter the contents of BIOS. | 5.9 |
| 2018-09-28 | CVE-2018-9082 | Session Fixation vulnerability in Lenovo products For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. | 8.8 |
| 2018-09-28 | CVE-2018-9081 | Cross-site Scripting vulnerability in Lenovo products For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. | 4.7 |
| 2018-09-28 | CVE-2018-9080 | Improper Authentication vulnerability in Lenovo products For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, by setting the Iomega cookie to a known value before logging into the NAS's web application, the NAS will not provide the user a new cookie value. | 5.9 |
| 2018-09-28 | CVE-2018-9079 | Cross-site Scripting vulnerability in Lenovo products For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, adversaries can craft URLs to modify the Document Object Model (DOM) of the page. | 9.8 |
| 2018-09-28 | CVE-2018-9078 | Cross-site Scripting vulnerability in Lenovo products For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset. | 8.8 |
| 2018-09-28 | CVE-2018-9077 | OS Command Injection vulnerability in Lenovo Lenovoemc Firmware 4.1.402.34662 For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when changing the name of a share, an attacker can craft a command injection payload using backtick "``" characters in the share : name parameter. | 8.1 |
| 2018-09-28 | CVE-2018-9076 | OS Command Injection vulnerability in Lenovo Lenovoemc Firmware 4.1.402.34662 For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when changing the name of a share, an attacker can craft a command injection payload using backtick "``" characters in the name parameter. | 8.1 |
| 2018-09-28 | CVE-2018-9075 | OS Command Injection vulnerability in Lenovo Lenovoemc Firmware 4.1.402.34662 For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when joining a PersonalCloud setup, an attacker can craft a command injection payload using backtick "``" characters in the client:password parameter. | 8.1 |