Vulnerabilities > Lenovo > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-27 | CVE-2022-34886 | Out-of-bounds Write vulnerability in Lenovo products A remote code execution vulnerability was found in the firmware used in some Lenovo printers, which can be caused by a remote user pushing an illegal string to the server-side interface via a script, resulting in a stack overflow. | 8.8 |
| 2023-10-25 | CVE-2022-3699 | Out-of-bounds Write vulnerability in Lenovo products A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45 that could allow a local user to execute code with elevated privileges. | 7.8 |
| 2023-10-25 | CVE-2023-4606 | Missing Authorization vulnerability in Lenovo products An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected. | 8.1 |
| 2023-10-25 | CVE-2023-4607 | Improper Privilege Management vulnerability in Lenovo products An authenticated XCC user can change permissions for any user through a crafted API command. | 8.8 |
| 2023-10-25 | CVE-2023-4608 | SQL Injection vulnerability in Lenovo products An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected. | 7.2 |
| 2023-10-09 | CVE-2022-3431 | Incorrect Default Permissions vulnerability in Lenovo products A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable. | 7.8 |
| 2023-08-17 | CVE-2023-3078 | Uncontrolled Search Path Element vulnerability in Lenovo Universal Device Client An uncontrolled search path vulnerability was reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated privileges. | 7.8 |
| 2023-08-17 | CVE-2023-4030 | Failing Open vulnerability in Lenovo products A vulnerability was reported in BIOS for ThinkPad P14s Gen 2, P15s Gen 2, T14 Gen 2, and T15 Gen 2 that could cause the system to recover to insecure settings if the BIOS becomes corrupt. | 7.8 |
| 2023-06-26 | CVE-2023-2992 | Unspecified vulnerability in Lenovo products An unauthenticated denial of service vulnerability exists in the SMM v1, SMM v2, and FPC management web server which can be triggered under crafted conditions. | 7.5 |
| 2023-06-26 | CVE-2023-34418 | SQL Injection vulnerability in Lenovo Xclarity Administrator A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API. | 8.1 |