Vulnerabilities > Lenovo

DATE CVE VULNERABILITY TITLE RISK
2023-08-17 CVE-2023-4029 Unspecified vulnerability in Lenovo products
A buffer overflow has been identified in the BoardUpdateAcpiDxe driver in some Lenovo ThinkPad products which may allow an attacker with local access and elevated privileges to execute arbitrary code.
local
low complexity
lenovo
6.7
2023-08-17 CVE-2023-4030 Unspecified vulnerability in Lenovo products
A vulnerability was reported in BIOS for ThinkPad P14s Gen 2, P15s Gen 2, T14 Gen 2, and T15 Gen 2 that could cause the system to recover to insecure settings if the BIOS becomes corrupt.
local
low complexity
lenovo
7.8
2023-06-26 CVE-2023-2290 Unspecified vulnerability in Lenovo products
A potential vulnerability in the LenovoFlashDeviceInterface SMI handler may allow an attacker with local access and elevated privileges to execute arbitrary code.
local
low complexity
lenovo
6.7
2023-06-26 CVE-2023-2992 Unspecified vulnerability in Lenovo products
An unauthenticated  denial of service vulnerability exists in the SMM v1, SMM v2, and FPC management web server which can be triggered under crafted conditions.
network
low complexity
lenovo
7.5
2023-06-26 CVE-2023-2993 Improper Preservation of Permissions vulnerability in Lenovo products
A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute.
network
low complexity
lenovo CWE-281
6.3
2023-06-26 CVE-2023-34418 SQL Injection vulnerability in Lenovo Xclarity Administrator
A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API.
network
low complexity
lenovo CWE-89
8.1
2023-06-26 CVE-2023-34420 OS Command Injection vulnerability in Lenovo Xclarity Administrator
A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API.
network
low complexity
lenovo CWE-78
7.2
2023-06-26 CVE-2023-34421 Improper Input Validation vulnerability in Lenovo Xclarity Administrator
A valid, authenticated LXCA user with elevated privileges may be able to replace filesystem data through a specifically crafted web API call due to insufficient input validation.
network
low complexity
lenovo CWE-20
6.5
2023-06-26 CVE-2023-34422 Improper Input Validation vulnerability in Lenovo Xclarity Administrator
A valid, authenticated LXCA user with elevated privileges may be able to delete folders in the LXCA filesystem through a specifically crafted web API call due to insufficient input validation.
network
low complexity
lenovo CWE-20
6.5
2023-06-26 CVE-2023-3113 XXE vulnerability in Lenovo Xclarity Administrator
An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files.
network
low complexity
lenovo CWE-611
7.5