Vulnerabilities > Lenovo > Thinksystem Sr630 V2 Firmware
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-25 | CVE-2023-4606 | Missing Authorization vulnerability in Lenovo products An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected. | 8.1 |
| 2023-10-25 | CVE-2023-4607 | Improper Privilege Management vulnerability in Lenovo products An authenticated XCC user can change permissions for any user through a crafted API command. | 8.8 |
| 2023-10-25 | CVE-2023-4608 | SQL Injection vulnerability in Lenovo products An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected. | 7.2 |
| 2023-05-01 | CVE-2023-0683 | Unspecified vulnerability in Lenovo products A valid, authenticated XCC user with read only access may gain elevated privileges through a specifically crafted API call. | 8.8 |
| 2023-05-01 | CVE-2023-25492 | Use of Externally-Controlled Format String vulnerability in Lenovo products A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in a web interface API. | 8.8 |
| 2023-04-28 | CVE-2023-25495 | Insufficiently Protected Credentials vulnerability in Lenovo products A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. | 4.9 |
| 2023-04-28 | CVE-2023-29056 | Unspecified vulnerability in Lenovo products A valid LDAP user, under specific conditions, will default to read-only permissions when authenticating into XCC. | 5.9 |
| 2023-04-28 | CVE-2023-29057 | Unspecified vulnerability in Lenovo products A valid XCC user's local account permissions overrides their active directory permissions under specific configurations. | 8.8 |
| 2023-04-28 | CVE-2023-29058 | Unspecified vulnerability in Lenovo products A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. | 6.5 |
| 2023-01-30 | CVE-2022-34884 | Out-of-bounds Write vulnerability in Lenovo products A buffer overflow exists in the Remote Presence subsystem which can potentially allow valid, authenticated users to cause a recoverable subsystem denial of service. | 6.5 |