CVE-2023-29058

CWE-276 — Incorrect Default Permissions3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 76.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

110

Lenovo Thinkagile Hx1021 Firmware Lenovo Thinkagile Hx1320 Firmware Lenovo Thinkagile Hx1321 Firmware +107 more

Timeline

PublishedApr 28

Description

A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:HExploitability: 0.9 | Impact: 5.5

Affected Packages110 packages

▶NVDlenovo/thinkagile_vx_4u_firmware< 2.75_psi348s

▶NVDlenovo/thinkedge_se450__firmware< 1.60_usx324o

▶NVDlenovo/thinkagile_hx1021_firmware< 3.72_tei388s

▶NVDlenovo/thinkagile_hx1320_firmware< 8.88_cdi3a4a

▶NVDlenovo/thinkagile_hx1321_firmware< 8.88_cdi3a4a

🔴Vulnerability Details

CVEList

CVE-2023-29058: A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through t↗2023-04-28

▶

GHSA

GHSA-fmgc-gvmv-xqxp: A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through t↗2023-04-28

▶