Vulnerabilities > Lenovo > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-11-29 | CVE-2016-8223 | Improper Access Control vulnerability in Lenovo System Interface Foundation During an internal security review, Lenovo identified a local privilege escalation vulnerability in Lenovo System Interface Foundation software installed on some Windows 10 PCs where a user with local privileges could run arbitrary code with administrator level privileges. | 7.2 |
| 2016-09-22 | CVE-2016-5247 | 7PK - Security Features vulnerability in Lenovo Bios The BIOS for Lenovo ThinkCentre E93, M6500t/s, M6600, M6600q, M6600t/s, M73p, M800, M83, M8500t/s, M8600t/s, M900, M93, and M93P devices; ThinkServer RQ940, RS140, TS140, TS240, TS440, and TS540 devices; and ThinkStation E32, P300, and P310 devices might allow local users or physically proximate attackers to bypass the Secure Boot protection mechanism by leveraging an AMI test key. | 7.2 |
| 2016-06-30 | CVE-2016-5249 | Permissions, Privileges, and Access Controls vulnerability in Lenovo Solution Center 3.3.002 Lenovo Solution Center (LSC) before 3.3.003 allows local users to execute arbitrary code with LocalSystem privileges via vectors involving the LSC.Services.SystemService StartProxy command with a named pipe created in advance and crafted .NET assembly. | 7.2 |
| 2016-04-11 | CVE-2016-2393 | Permissions, Privileges, and Access Controls vulnerability in Lenovo Fingerprint Manager and Touch Fingerprint Lenovo Fingerprint Manager before 8.01.57 and Touch Fingerprint before 1.00.08 use weak ACLs for unspecified (1) services and (2) files, which allows local users to gain privileges by invalidating local checks. | 7.2 |
| 2015-11-12 | CVE-2015-7820 | Race Condition vulnerability in multiple products Race condition in the administration-panel web service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows remote attackers to obtain privileged-account access, and consequently provide ZipDownload.jsp input containing directory traversal sequences to read arbitrary files, via a request to port 40080 or 40443. | 7.1 |
| 2015-11-12 | CVE-2015-7818 | Permissions, Privileges, and Access Controls vulnerability in multiple products The administration-panel web service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows local users to execute arbitrary JSP code with SYSTEM privileges by using the Apache Axis AdminService deployment method to install a .jsp file. | 7.2 |
| 2015-11-12 | CVE-2015-7817 | Race Condition vulnerability in multiple products Race condition in the administration-panel web service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows remote attackers to obtain privileged-account access, and consequently provide FileReader.jsp input containing directory traversal sequences to read arbitrary text files, via a request to port 40080 or 40443. | 7.1 |
| 2015-05-12 | CVE-2015-2233 | Cryptographic Issues vulnerability in Lenovo System Update 5.06.0027 Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 does not properly validate CA chains during signature validation, which allows man-in-the-middle attackers to upload and execute arbitrary files via a crafted certificate. | 8.3 |
| 2015-05-12 | CVE-2015-2219 | Permissions, Privileges, and Access Controls vulnerability in Lenovo System Update 5.06.0027 Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allows local users to gain privileges by sending a valid token with a command to the System Update service (SUService.exe) through an unspecified named pipe. | 7.2 |
| 2014-03-03 | CVE-2014-1939 | Code Injection vulnerability in multiple products java/android/webkit/BrowserFrame.java in Android before 4.4 uses the addJavascriptInterface API in conjunction with creating an object of the SearchBoxImpl class, which allows attackers to execute arbitrary Java code by leveraging access to the searchBoxJavaBridge_ interface at certain Android API levels. | 7.5 |