Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Lenovo Subscribe
Total 284 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-3762 2 Lenovo, Microsoft 4 Fingerprint Manager Pro, Windows 7, Windows 8 and 1 more 2019-05-08 7.2 HIGH 7.8 HIGH
Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed.
CVE-2019-6149 1 Lenovo 2 Dynamic Power Reduction, Thinkpad X1 Carbon 2019-03-21 7.2 HIGH 6.7 MEDIUM
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-9080 1 Lenovo 40 Ez Media \& Backup Center, Ez Media \& Backup Center Firmware, Ix2 and 37 more 2019-01-08 4.3 MEDIUM 5.9 MEDIUM
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, by setting the Iomega cookie to a known value before logging into the NAS's web application, the NAS will not provide the user a new cookie value. This allows an attacker who knows the cookie's value to compromise the user's session.
CVE-2018-9082 1 Lenovo 40 Ez Media \& Backup Center, Ez Media \& Backup Center Firmware, Ix2 and 37 more 2019-01-07 4.0 MEDIUM 8.8 HIGH
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens can change their password and retain access to the user's account
CVE-2018-16097 1 Lenovo 1 Xclarity Integrator 2018-12-28 4.0 MEDIUM 6.5 MEDIUM
LXCI for VMware versions prior to 5.5 and LXCI for Microsoft System Center versions prior to 3.5, allow an authenticated user to write to any system file due to insufficient sanitization during the upload of a certificate.
CVE-2018-16093 1 Lenovo 1 Xclarity Integrator 2018-12-28 4.0 MEDIUM 6.5 MEDIUM
In versions prior to 5.5, LXCI for VMware allows an authenticated user to write to any system file due to insufficient sanitization during the upload of a backup file.
CVE-2018-9072 1 Lenovo 1 Xclarity Integrator 2018-12-28 4.0 MEDIUM 6.5 MEDIUM
In versions prior to 5.5, LXCI for VMware allows an authenticated user to download any system file due to insufficient input sanitization during file downloads.
CVE-2018-9071 1 Lenovo 2 Chassis Management Module, Chassis Management Module Firmware 2018-12-20 5.0 MEDIUM 5.3 MEDIUM
Lenovo Chassis Management Module (CMM) prior to version 2.0.0 allows unauthenticated users to retrieve information related to the current authentication configuration settings. Exposed settings relate to password lengths, expiration, and lockout configuration.
CVE-2018-9073 1 Lenovo 2 Chassis Management Module, Chassis Management Module Firmware 2018-12-20 4.3 MEDIUM 5.9 MEDIUM
Lenovo Chassis Management Module (CMM) prior to version 2.0.0 utilizes a hardcoded encryption key to protect certain secrets. Possession of the key can allow an attacker that has already compromised the server to decrypt these secrets.
CVE-2018-12169 2 Intel, Lenovo 32 Core I3, Core I5, Core I7 and 29 more 2018-12-20 4.6 MEDIUM 7.6 HIGH
Platform sample code firmware in 4th Generation Intel Core Processor, 5th Generation Intel Core Processor, 6th Generation Intel Core Processor, 7th Generation Intel Core Processor and 8th Generation Intel Core Processor contains a logic error which may allow physical attacker to potentially bypass firmware authentication.
CVE-2018-16091 1 Lenovo 8 System Management Module Firmware, Thinkagile Hx Enclosure 7x81, Thinkagile Hx Enclosure 7y87 and 5 more 2018-12-19 6.8 MEDIUM 8.1 HIGH
In System Management Module (SMM) versions prior to 1.06, the SMM certificate creation and parsing logic is vulnerable to several buffer overflows.
CVE-2018-16094 1 Lenovo 8 System Management Module Firmware, Thinkagile Hx Enclosure 7x81, Thinkagile Hx Enclosure 7y87 and 5 more 2018-12-19 6.8 MEDIUM 8.1 HIGH
In System Management Module (SMM) versions prior to 1.06, an internal SMM function that retrieves configuration settings is prone to a buffer overflow.
CVE-2018-16096 1 Lenovo 8 System Management Module Firmware, Thinkagile Hx Enclosure 7x81, Thinkagile Hx Enclosure 7y87 and 5 more 2018-12-19 4.3 MEDIUM 6.1 MEDIUM
In System Management Module (SMM) versions prior to 1.06, the SMM web interface for changing Enclosure VPD fails to sufficiently sanitize all input for HTML tags, possibly opening a path for cross-site scripting.
CVE-2018-9074 1 Lenovo 22 Iomega Ez Media \& Backup Center, Iomega Storcenter Ix2, Iomega Storcenter Ix2-dl and 19 more 2018-11-20 6.8 MEDIUM 6.5 MEDIUM
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file upload functionality of the Content Explorer application is vulnerable to path traversal. As a result, users can upload files anywhere on the device's operating system as the root user.
CVE-2018-9081 1 Lenovo 40 Ez Media \& Backup Center, Ez Media \& Backup Center Firmware, Ix2 and 37 more 2018-11-16 2.6 LOW 4.7 MEDIUM
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible from the Content Viewer with a cross site scripting payload in its name, and wait for a user to try and rename the file for their payload to trigger.
CVE-2007-2240 1 Lenovo 2 Access Support, Automated Solutions 2018-10-12 5.8 MEDIUM N/A
The IBM Lenovo Access Support acpRunner ActiveX control, as distributed in acpcontroller.dll before 1.2.8.0 and possibly acpir.dll before 1.0.0.9 (Automated Solutions 1.0 before fix pack 1), does not properly validate digital signatures of downloaded software, which makes it easier for remote attackers to spoof a download.
CVE-2007-2929 1 Lenovo 2 Access Support, Automated Solutions 2018-10-12 5.8 MEDIUM N/A
The IBM Lenovo Access Support acpRunner ActiveX control, as distributed in acpcontroller.dll before 1.2.8.0 and possibly acpir.dll before 1.0.0.9 (Automated Solutions 1.0 before fix pack 1), exposes unsafe methods to arbitrary web domains, which allows remote attackers to download arbitrary code onto a client system and execute this code.
CVE-2007-2928 1 Lenovo 2 Access Support, Automated Solutions 2018-10-12 5.8 MEDIUM N/A
Format string vulnerability in the IBM Lenovo Access Support acpRunner ActiveX control, as distributed in acpcontroller.dll before 1.2.8.0 and possibly acpir.dll before 1.0.0.9 (Automated Solutions 1.0 before fix pack 1), allows remote attackers to execute arbitrary code via format string specifiers in unknown data.
CVE-2008-4589 1 Lenovo 1 Resuce And Recovery 2018-10-11 7.2 HIGH N/A
Heap-based buffer overflow in the tvtumin.sys kernel driver in Lenovo Rescue and Recovery 4.20, including 4.20.0511 and 4.20.0512, allows local users to execute arbitrary code via a long file name.
CVE-2016-1490 1 Lenovo 1 Shareit 2018-10-09 2.7 LOW 4.1 MEDIUM
The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows allows remote attackers to obtain sensitive file names via a crafted file request to /list.