Vulnerabilities > Lenovo > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-23 | CVE-2022-3745 | Information Exposure vulnerability in Lenovo products A potential vulnerability was discovered in LCFC BIOS for some Lenovo consumer notebook models that could allow a local attacker with elevated privileges to view incoming and returned data from SMI. | 4.4 |
| 2023-08-23 | CVE-2022-3746 | Improper Access Control vulnerability in Lenovo products A potential vulnerability was discovered in LCFC BIOS for some Lenovo consumer notebook models that could allow a local attacker with elevated privileges to cause some peripherals to work abnormally due to an exposed Embedded Controller (EC) interface. | 6.7 |
| 2023-08-17 | CVE-2023-34419 | Classic Buffer Overflow vulnerability in Lenovo products A buffer overflow has been identified in the SetupUtility driver in some Lenovo Notebook products which may allow an attacker with local access and elevated privileges to execute arbitrary code. | 6.7 |
| 2023-08-17 | CVE-2023-4028 | Classic Buffer Overflow vulnerability in Lenovo products A buffer overflow has been identified in the SystemUserMasterHddPwdDxe driver in some Lenovo Notebook products which may allow an attacker with local access and elevated privileges to execute arbitrary code. | 6.7 |
| 2023-08-17 | CVE-2023-4029 | Classic Buffer Overflow vulnerability in Lenovo products A buffer overflow has been identified in the BoardUpdateAcpiDxe driver in some Lenovo ThinkPad products which may allow an attacker with local access and elevated privileges to execute arbitrary code. | 6.7 |
| 2023-06-26 | CVE-2023-2290 | Unspecified vulnerability in Lenovo products A potential vulnerability in the LenovoFlashDeviceInterface SMI handler may allow an attacker with local access and elevated privileges to execute arbitrary code. | 6.7 |
| 2023-06-26 | CVE-2023-2993 | Improper Preservation of Permissions vulnerability in Lenovo products A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute. | 6.3 |
| 2023-06-26 | CVE-2023-34421 | Improper Input Validation vulnerability in Lenovo Xclarity Administrator A valid, authenticated LXCA user with elevated privileges may be able to replace filesystem data through a specifically crafted web API call due to insufficient input validation. | 6.5 |
| 2023-06-26 | CVE-2023-34422 | Improper Input Validation vulnerability in Lenovo Xclarity Administrator A valid, authenticated LXCA user with elevated privileges may be able to delete folders in the LXCA filesystem through a specifically crafted web API call due to insufficient input validation. | 6.5 |
| 2023-04-28 | CVE-2023-25495 | Insufficiently Protected Credentials vulnerability in Lenovo products A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. | 4.9 |