Lenovo Security Advisory: LEN-27805
**Potential Impact:**Information disclosure, code execution
Severity: Medium
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2019-6179, CVE-2019-6180, CVE-2019-6181, CVE-2019-6182
Summary Description:
Vulnerabilities reported in Lenovo XClarity Administrator (LXCA) and Lenovo XClarity Integrator (LXCI) could allow information disclosure or code execution.
CVE-2019-6179
An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) and Lenovo XClarity Integrator (LXCI) that could allow information disclosure.
CVE-2019-6180
A stored cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) that could allow an administrative user to cause JavaScript code to be stored in LXCA which may then be executed in the userβs web browser. The JavaScript code is not executed on LXCA itself.
CVE-2019-6181
A reflected cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) that could allow a crafted URL, if visited, to cause JavaScript code to be executed in the userβs web browser. The JavaScript code is not executed on LXCA itself.
CVE-2019-6182
A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself.
Mitigation Strategy for Customers (what you should do to protect yourself):
Update your LXCA installation to version 2.5.0 or later.
Update LXCI for Microsoft System Center to version 7.7.0 or later.
Update LXCI for VMware vCenter to version 6.1.0 or later.
Acknowledgement:
CVE-2019-6179: Lenovo thanks USD AG for reporting this issue.
Revision History:
Revision
|
Date
|
Description
β|β|β
1 | 2019-09-03 | Initial release
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an βas isβ basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.