Vulnerabilities > Lenovo > Thinkagile Hx3375 Firmware > High

DATE CVE VULNERABILITY TITLE RISK
2023-10-25 CVE-2023-4606 Missing Authorization vulnerability in Lenovo products
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.   This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
network
low complexity
lenovo CWE-862
8.1
2023-10-25 CVE-2023-4607 Improper Privilege Management vulnerability in Lenovo products
An authenticated XCC user can change permissions for any user through a crafted API command.
network
low complexity
lenovo CWE-269
8.8
2023-10-25 CVE-2023-4608 SQL Injection vulnerability in Lenovo products
An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command.  This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
network
low complexity
lenovo CWE-89
7.2
2023-05-01 CVE-2023-0683 Unspecified vulnerability in Lenovo products
A valid, authenticated XCC user with read only access may gain elevated privileges through a specifically crafted API call.
network
low complexity
lenovo
8.8
2023-05-01 CVE-2023-25492 Use of Externally-Controlled Format String vulnerability in Lenovo products
A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in a web interface API.
network
low complexity
lenovo CWE-134
8.8
2023-04-28 CVE-2023-29057 Unspecified vulnerability in Lenovo products
A valid XCC user's local account permissions overrides their active directory permissions under specific configurations.
network
low complexity
lenovo
8.8