Lenovo Xclarity Controller vulnerabilities
6 known vulnerabilities affecting lenovo/lenovo_xclarity_controller.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2023-4607HIGHCVSS 8.8vvarious2023-10-25
CVE-2023-4607 [HIGH] CWE-269 CVE-2023-4607: An authenticated XCC user can change permissions for any user through a crafted API command.
An authenticated XCC user can change permissions for any user through a crafted API command.
cvelistv5nvd
CVE-2023-4608HIGHCVSS 7.2vvarious2023-10-25
CVE-2023-4608 [HIGH] CWE-89 CVE-2023-4608: An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases
An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command.
This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
cvelistv5nvd
CVE-2023-4606HIGHCVSS 8.1vvarious2023-10-25
CVE-2023-4606 [HIGH] CWE-862 CVE-2023-4606: An authenticated XCC user with Read-Only permission can change a different user’s password through a
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.
This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
cvelistv5nvd
CVE-2022-34884MEDIUMCVSS 6.5vvarious2023-01-30
CVE-2022-34884 [MEDIUM] CWE-121 CVE-2022-34884: A buffer overflow exists in the Remote Presence subsystem which can potentially allow valid, authent
A buffer overflow exists in the Remote Presence subsystem which can potentially allow valid, authenticated users to cause a recoverable subsystem denial of service.
cvelistv5nvd
CVE-2022-34888MEDIUMCVSS 4.3vvarious2023-01-30
CVE-2022-34888 [MEDIUM] CWE-184 CVE-2022-34888: The Remote Mount feature can potentially be abused by valid, authenticated users to make connections
The Remote Mount feature can potentially be abused by valid, authenticated users to make connections to internal services that may not normally be accessible to users. Internal service access controls, as applicable, remain in effect.
cvelistv5nvd
CVE-2019-6187MEDIUMCVSS 6.5≥ unspecified, < TEI392M≥ unspecified, < CDI340M+2 more2019-11-20
CVE-2019-6187 [MEDIUM] CWE-1236 CVE-2019-6187: A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could all
A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC its
cvelistv5nvd