Vulnerabilities > Lenovo > Thinksystem Sr645 V3 Firmware

DATE CVE VULNERABILITY TITLE RISK
2023-10-25 CVE-2023-4606 Missing Authorization vulnerability in Lenovo products
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.   This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
network
low complexity
lenovo CWE-862
8.1
2023-10-25 CVE-2023-4607 Improper Privilege Management vulnerability in Lenovo products
An authenticated XCC user can change permissions for any user through a crafted API command.
network
low complexity
lenovo CWE-269
8.8
2023-10-25 CVE-2023-4608 SQL Injection vulnerability in Lenovo products
An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command.  This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
network
low complexity
lenovo CWE-89
7.2
2023-05-01 CVE-2023-0683 Unspecified vulnerability in Lenovo products
A valid, authenticated XCC user with read only access may gain elevated privileges through a specifically crafted API call.
network
low complexity
lenovo
8.8
2023-05-01 CVE-2023-25492 Use of Externally-Controlled Format String vulnerability in Lenovo products
A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in a web interface API.
network
low complexity
lenovo CWE-134
8.8
2023-04-28 CVE-2023-25495 Insufficiently Protected Credentials vulnerability in Lenovo products
A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations.
network
low complexity
lenovo CWE-522
4.9
2023-04-28 CVE-2023-29056 Unspecified vulnerability in Lenovo products
A valid LDAP user, under specific conditions, will default to read-only permissions when authenticating into XCC.
network
high complexity
lenovo
5.9
2023-04-28 CVE-2023-29057 Unspecified vulnerability in Lenovo products
A valid XCC user's local account permissions overrides their active directory permissions under specific configurations.
network
low complexity
lenovo
8.8
2023-04-28 CVE-2023-29058 Unspecified vulnerability in Lenovo products
A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI.
network
low complexity
lenovo
6.5