133 matches found
CVE-2024-38509
CVE-2024-38509 affects Lenovo’s XClarity Controller (XCC). A flaw in how IPMI commands are processed can let an authenticated XCC user with elevated privileges execute arbitrary code, i.e., privilege escalation and code execution. The issue is documented with a base CVSS of 7.2 (HIGH) and is desc...
CVE-2024-38509
A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to execute arbitrary code via a specially crafted IPMI command...
CVE-2024-38508
Lenovo XClarity Controller (XCC) web interface or SSH captive command shell interface contains a privilege-escalation vulnerability (CVE-2024-38508). An authenticated XCC user with elevated privileges can perform arbitrary code execution by sending a specially crafted request. IBM’s advisory for ...
CVE-2024-38508
A privilege escalation vulnerability was discovered in the web interface or SSH captive command shell interface of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via a specially crafted request...
CVE-2024-38508
A privilege escalation vulnerability was discovered in the web interface or SSH captive command shell interface of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via a specially crafted request...
CVE-2024-2214 Missing array size check in _Mtxinit() in the Xtensa port
In Eclipse ThreadX before version 6.4.0, the Mtxinit function in the Xtensa port was missing an array size check causing a memory overwrite. The affected file was ports/xtensa/xcc/src/txcliblock.c...
CVE-2023-4607
An authenticated XCC user can change permissions for any user through a crafted API command...
CVE-2023-4606
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected...
CVE-2023-4608
An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected...
Command injection
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected...
Sql injection
An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected...
CVE-2023-4608
CVE-2023-4608 is an authenticated SQL injection vulnerability in Lenovo ThinkSystem’s XClarity Controller (XCC). The issue allows blind SQL injection in limited cases via a crafted API command when exploited by an authenticated XCC user with elevated privileges. Affected are ThinkSystem v2 and v3...
CVE-2023-4608
An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected...
CVE-2023-4608
An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected...
CVE-2023-4607
CVE-2023-4607 describes a vulnerability in Lenovo XClarity Controller (XCC): an authenticated XCC user can leverage a crafted API command to change the permissions of any user, effectively gaining elevated privileges. The issue is documented across multiple sources (Lenovo LEN-140960 reference; R...
CVE-2023-4606
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected...
CVE-2023-4606
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected...
CVE-2023-4606
CVE-2023-4606 affects Lenovo ThinkSystem ThinkSystem v2 and v3 servers with XCC. An authenticated XCC user with Read-Only privileges can change another user’s password via a crafted API command. Root cause and explicit exploit details are not provided in the available documents. CVSS v3.1 base sc...
PT-2023-29822 · Xcc · Xcc
Name of the Vulnerable Software and Affected Versions: XCC affected versions not specified Description: The issue allows an authenticated XCC user to change permissions for any user through a crafted API command. Recommendations: At the moment, there is no information about a newer version that...
PT-2023-29817 · Lenovo · Thinksystem
Name of the Vulnerable Software and Affected Versions: ThinkSystem versions v2 and v3 Description: An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This issue affects ThinkSystem servers with XCC. Recommendations: For...