cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-38512,https://securityvulnerability.io/vulnerability/CVE-2024-38512,Privilege Escalation Vulnerability in XCC Could Allow Command Injection via IPMI Commands,"A privilege escalation vulnerability has been identified in Lenovo's XCC product, enabling an authenticated user with elevated privileges to execute command injection by sending specially crafted IPMI commands. This vulnerability poses potential risks for systems dependent on XCC, as it can allow unauthorized control over critical system functionalities when exploited.",Lenovo,Xclarity Controller,7.2,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-26T20:15:00.000Z,0
CVE-2024-38511,https://securityvulnerability.io/vulnerability/CVE-2024-38511,Privilege Escalation Vulnerability in XCC Upload Processing,"A privilege escalation vulnerability exists in Lenovo's XCC product related to the upload processing functionality. This flaw can be exploited by an authenticated user with elevated privileges to execute command injection through specially crafted file uploads, potentially compromising system integrity and security. Users are advised to review their configurations and update to the latest versions of XCC to mitigate the risk associated with this vulnerability.",Lenovo,Xclarity Controller,7.2,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-26T20:15:00.000Z,0
CVE-2024-38510,https://securityvulnerability.io/vulnerability/CVE-2024-38510,Privilege Escalation Vulnerability in SSH Captive Command Shell Interface,"A vulnerability has been identified in Lenovo's SSH captive command shell interface, enabling privilege escalation for authenticated XCC users with elevated privileges. It allows for the execution of command injection attacks through the upload of specially crafted files. This security flaw poses significant risks, as attackers can exploit it to gain unauthorized access to sensitive system functionalities and execute arbitrary commands, compromising the integrity and security of affected environments.",Lenovo,Xclarity Controller,7.2,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-26T20:15:00.000Z,0
CVE-2024-38509,https://securityvulnerability.io/vulnerability/CVE-2024-38509,Privilege Escalation Vulnerability in IPMI Could Allow Arbitrary Code Execution,"A privilege escalation vulnerability exists in Lenovo's XCC product that enables an authenticated user with elevated privileges to execute arbitrary code. This vulnerability arises from improper handling of specially crafted IPMI commands, potentially allowing unauthorized code execution within the affected system. Organizations utilizing Lenovo XCC should review security updates and apply necessary patches to mitigate risks associated with this vulnerability.",Lenovo,Xclarity Controller,7.2,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-26T20:15:00.000Z,0
CVE-2024-38508,https://securityvulnerability.io/vulnerability/CVE-2024-38508,Privilege Escalation Vulnerability Discovered in XCC Web Interface or SSH Captive Command Shell Interface,"A privilege escalation vulnerability has been identified in the web interface and SSH captive command shell of Lenovo's XCC. This vulnerability permits an authenticated user with elevated privileges to execute command injection through specially crafted HTTP requests. The exploitation of this flaw can lead to unauthorized command execution, posing a significant security risk. It is essential for users and organizations reliant on XCC to implement the necessary security measures and patches to mitigate potential threats associated with this vulnerability.",Lenovo,Xclarity Controller,7.2,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-26T20:15:00.000Z,0
CVE-2023-4607,https://securityvulnerability.io/vulnerability/CVE-2023-4607,Permission Modification Vulnerability in Lenovo's XCC Platform,"A vulnerability exists within Lenovo's XCC platform that allows an authenticated user with XCC privileges to manipulate the permissions of other users. This is achieved through the execution of a specially crafted API command, potentially giving unauthorized users access to restricted functionalities or sensitive data.",Lenovo,Lenovo XClarity Controller (XCC),8.8,HIGH,0.0008900000248104334,false,,false,false,false,,,false,false,,2023-10-25T18:17:00.000Z,0
CVE-2023-4606,https://securityvulnerability.io/vulnerability/CVE-2023-4606,Authenticated Password Manipulation in ThinkSystem Servers by Lenovo,"An authentication vulnerability exists in Lenovo ThinkSystem servers, where an authenticated XCC user with Read-Only permissions can exploit a crafted API command to change another user's password. This issue affects ThinkSystem v2 and v3 servers equipped with XCC, while ThinkSystem v1 servers remain unaffected. Users are advised to implement necessary security measures to mitigate risks associated with unauthorized password changes.",Lenovo,Lenovo Xclarity Controller (xcc),8.1,HIGH,0.0007300000288523734,false,,false,false,false,,,false,false,,2023-10-25T18:17:00.000Z,0
CVE-2023-4608,https://securityvulnerability.io/vulnerability/CVE-2023-4608,SQL Injection Vulnerability in ThinkSystem Servers by Lenovo,"A blind SQL injection vulnerability exists in Lenovo ThinkSystem servers, affecting versions v2 and v3. This security flaw allows an authenticated XCC user with elevated privileges to execute a crafted API command resulting in unauthorized database access. It is crucial to mitigate this risk to protect sensitive data from potential exploitation.",Lenovo,Lenovo Xclarity Controller (xcc),4.1,MEDIUM,0.0007399999885819852,false,,false,false,false,,,false,false,,2023-10-25T18:17:00.000Z,0
CVE-2023-0683,https://securityvulnerability.io/vulnerability/CVE-2023-0683,XCC Privilege Escalation in Lenovo Products Due to API Misconfiguration,"An authenticated user with read-only access to Lenovo's Extreme Control Center (XCC) may exploit a vulnerability that allows them to elevate their privileges via a maliciously crafted API call. This could lead to unauthorized access to sensitive system functions, compromising the security of the affected environment. Organizations using XCC should assess their exposure and implement necessary mitigations.",Lenovo,Xclarity Controller,8.3,HIGH,0.0014199999859556556,false,,false,false,false,,,false,false,,2023-05-01T15:15:00.000Z,0
CVE-2023-25492,https://securityvulnerability.io/vulnerability/CVE-2023-25492,Denial of Service Vulnerability in Lenovo XCC Web Interface,"A format string injection vulnerability exists in the Lenovo XCC web user interface, allowing a valid authenticated user to potentially trigger a denial of service condition or cause other undefined behaviors through improper handling of API inputs. This flaw underscores the importance of secure coding practices to prevent misuse and ensure integrity in web applications.",Lenovo,Xclarity Controller,6.3,MEDIUM,0.00107999995816499,false,,false,false,false,,,false,false,,2023-05-01T15:15:00.000Z,0
CVE-2023-25495,https://securityvulnerability.io/vulnerability/CVE-2023-25495,LDAP Client Password Exposure in XCC by Lenovo,"An identified vulnerability allows a valid, authenticated administrative user to exploit the web interface API of Lenovo XCC to disclose the configured LDAP client password used for establishing authentication with an external LDAP server. This issue is relevant only in configurations where an LDAP client password has been specifically set. The risk is mitigated in setups without a configured LDAP client password.",Lenovo,Xclarity Controller,4.9,MEDIUM,0.0005799999926239252,false,,false,false,false,,,false,false,,2023-04-28T22:15:00.000Z,0
CVE-2023-29056,https://securityvulnerability.io/vulnerability/CVE-2023-29056,LDAP Authentication Flaw in Lenovo XCC Products,"A valid LDAP user may inadvertently be granted read-only permissions when logging into Lenovo's XCC. This issue arises if the XCC is configured to utilize an LDAP server for authentication and authorization, and crucially, if the login permission attribute is not defined. Should these conditions align, users are posed with significant access limitations, which could hinder their operational capabilities in managing the XCC.",Lenovo,Xclarity Controller,5.3,MEDIUM,0.0011699999449774623,false,,false,false,false,,,false,false,,2023-04-28T22:15:00.000Z,0
CVE-2023-29057,https://securityvulnerability.io/vulnerability/CVE-2023-29057,Privilege Escalation in Lenovo Products Due to Local Account Permissions Misconfiguration,"A misconfiguration in certain Lenovo products allows a valid XCC user's local account permissions to override their Active Directory permissions. This occurs under specific conditions where LDAP is configured for authentication and authorization, and the login sequence is set to 'Local First, then LDAP'. This configuration can lead to unauthorized access and privilege escalation, putting sensitive data and systems at risk.",Lenovo,Xclarity Controller,7.3,HIGH,0.0007699999841861427,false,,false,false,false,,,false,false,,2023-04-28T21:15:00.000Z,0
CVE-2023-29058,https://securityvulnerability.io/vulnerability/CVE-2023-29058,XCC Vulnerability in Lenovo Product Allows Unauthorized Role Modification,An improperly configured access control in Lenovo's XCC allows a valid authenticated user with read-only permissions to modify custom user roles for other accounts and alter trespass messages via the XCC CLI. This oversight can lead to unauthorized privilege escalation if SSH is enabled and read-only permissions are assigned to multiple users. It is essential to ensure that SSH is disabled or that proper user permissions are allocated to minimize risks.,Lenovo,Xclarity Controller,6.4,MEDIUM,0.0004900000058114529,false,,false,false,false,,,false,false,,2023-04-28T21:15:00.000Z,0
CVE-2022-34888,https://securityvulnerability.io/vulnerability/CVE-2022-34888,Remote Mount Feature Vulnerability in Lenovo Products,"A vulnerability in Lenovo’s Remote Mount feature can be exploited by authenticated users to establish connections to internal services that are typically restricted. This flaw may allow users to bypass established access controls, potentially exposing sensitive internal resources.",Lenovo,Lenovo Xclarity Controller,2.7,LOW,0.000539999979082495,false,,false,false,false,,,false,false,,2023-01-30T21:41:15.774Z,0
CVE-2022-34884,https://securityvulnerability.io/vulnerability/CVE-2022-34884,Buffer Overflow Flaw in Lenovo's Remote Presence Subsystem,"A buffer overflow vulnerability has been identified in Lenovo's Remote Presence subsystem. This issue may allow authenticated users to exploit the flaw, leading to a potential denial of service scenario within the subsystem. While the impact of this exploit may be recoverable, it poses risks to system availability and requires immediate attention.",Lenovo,Lenovo Xclarity Controller,7.2,HIGH,0.0007300000288523734,false,,false,false,false,,,false,false,,2023-01-30T21:32:54.220Z,0
CVE-2021-3956,https://securityvulnerability.io/vulnerability/CVE-2021-3956,Read-Only Authentication Bypass in Lenovo XClarity Controller Firmware,"A read-only authentication bypass vulnerability exists in Lenovo XClarity Controller firmware, particularly affecting devices utilizing LDAP Authentication Only Mode with an LDAP server that allows 'unauthenticated bind', such as Microsoft Active Directory. Through this vulnerability, an unauthorized user can gain read-only access to the XCC, allowing them to view configuration details without the ability to make changes. Devices configured for local authentication or those requiring authenticated or anonymous binds are not vulnerable.",Lenovo,Xclarity Controller (xcc),4.3,MEDIUM,0.000859999970998615,false,,false,false,false,,,false,false,,2022-05-18T16:10:24.000Z,0
CVE-2021-3473,https://securityvulnerability.io/vulnerability/CVE-2021-3473,Sensitive Information Exposure in Lenovo XClarity Controller,"An internal security audit revealed that using Lenovo XClarity Administrator to perform a backup or restore on the Lenovo XClarity Controller can lead to the exposure of configuration backup/restore passwords. These sensitive credentials are temporarily stored in an internal log buffer, which may be included in FFDC service logs generated by a privileged user. Although the log contents are overwritten within approximately ten minutes, the risk remains for users who have access to these logs, as the backup/restore password may be inadvertently disclosed during log generation.",Lenovo,Xclarity Controller (xcc),4.5,MEDIUM,0.0006500000017695129,false,,false,false,false,,,false,false,,2021-04-13T20:41:46.000Z,0
CVE-2019-6195,https://securityvulnerability.io/vulnerability/CVE-2019-6195,Authorization Bypass in Lenovo XClarity Controller,"An authorization bypass vulnerability in Lenovo XClarity Controller allows a valid authenticated user with lesser privileges access to higher-privileged information under specific conditions. If configured to use 'LDAP Authentication Only with Local Authorization,' a lower-privileged user can gain read-only access to sensitive data if they log in shortly after a higher-privileged user logs out. The issue does not manifest under other authentication configurations, highlighting the importance of proper mode selection to protect sensitive information.",Lenovo,Xclarity Controller (xcc),4.8,MEDIUM,0.0006200000061653554,false,,false,false,false,,,false,false,,2020-02-14T00:00:00.000Z,0
CVE-2019-6187,https://securityvulnerability.io/vulnerability/CVE-2019-6187,Stored CSV Injection Vulnerability in Lenovo XClarity Controller,"A vulnerability exists in Lenovo XClarity Controller that allows administrative users to store malformed data in specific server informational fields. This could lead to crafted formulas being included in exported CSV files. While the crafted formulas do not affect the XCC server directly, they can compromise the integrity of data when accessed through other applications. Users should be aware of potential security risks and take appropriate measures to validate and sanitize data inputs.",Lenovo,Lenovo Xclarity Controller (xcc),6.5,MEDIUM,0.0006500000017695129,false,,false,false,false,,,false,false,,2019-11-19T00:00:00.000Z,0