CVE-2018-9066

CWE-20 — Improper Input Validation3 documents3 sources

Severity

8.8HIGH

EPSS

0.7%

top 28.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Xclarity Administrator Lenovo Group Ltd. Lenovo Xclarity Administrator

Timeline

PublishedJul 30

Latest updateMay 13

Description

In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA's underlying operating system.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDlenovo/xclarity_administrator< 2.1.0

▶CVEListV5lenovo_group_ltd./lenovo_xclarity_administratorEarlier than 2.1.0

🔴Vulnerability Details

GHSA

GHSA-5v67-p9g6-44qh: In Lenovo xClarity Administrator versions earlier than 2↗2022-05-13

▶

CVEList

CVE-2018-9066: In Lenovo xClarity Administrator versions earlier than 2↗2018-07-30

▶