CVE-2023-25492

CWE-134 — Uncontrolled Format String3 documents3 sources

Severity

8.8HIGH

EPSS

0.2%

top 57.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

110

Lenovo Thinkagile Hx1021 Firmware Lenovo Thinkagile Hx1320 Firmware Lenovo Thinkagile Hx1321 Firmware +107 more

Timeline

PublishedMay 1

Description

A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in a web interface API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages110 packages

▶NVDlenovo/thinkagile_vx_4u_firmware< 2.75_psi348s

▶NVDlenovo/thinkedge_se450__firmware< 1.60_usx324o

▶NVDlenovo/thinkagile_hx1021_firmware< 3.72_tei388s

▶NVDlenovo/thinkagile_hx1320_firmware< 8.88_cdi3a4a

▶NVDlenovo/thinkagile_hx1321_firmware< 8.88_cdi3a4a

🔴Vulnerability Details

CVEList

CVE-2023-25492: A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format stri↗2023-05-01

▶

GHSA

GHSA-8cv4-ph8g-vj2w: A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format stri↗2023-05-01

▶