Lucene search

LenovoCVELIST:CVE-2023-4608

HistoryOct 24, 2023 - 8:25 p.m.

CVE-2023-4608

2023-10-2420:25:49

CWE-89

lenovo

www.cve.org

thinksystem v2

thinksystem v3

xcc

sql injection

authenticated user

CVSS3

4.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

25.6%

JSON

An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command.

This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Lenovo XClarity Controller (XCC)",
    "vendor": "Lenovo",
    "versions": [
      {
        "status": "affected",
        "version": "various"
      }
    ]
  }
]

References

support.lenovo.com/us/en/product_security/LEN-140960

CVSS3

4.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

25.6%

JSON

Related for CVELIST:CVE-2023-4608