CVE-2023-4608 — SQL Injection in Lenovo Xclarity Controller

CWE-89 — SQL Injection3 documents3 sources

Severity

7.2HIGHNVD

CNA4.1

EPSS

0.1%

top 73.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Xclarity Controller

Timeline

PublishedOct 25

Description

An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages1 packages

▶CVEListV5lenovo/lenovo_xclarity_controllervarious

🔴Vulnerability Details

GHSA

GHSA-96gf-qq25-2c24: An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command↗2023-10-25

▶

CVEList

CVE-2023-4608: An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command↗2023-10-24

▶