VYPR

Iomega Storcenter

by Lenovo

CVEs (9)

  • CVE-2018-9079CriSep 28, 2018
    risk 0.64cvss 9.8epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, adversaries can craft URLs to modify the Document Object Model (DOM) of the page. In addition, adversaries can inject HTML script tags and HTML tags with JavaScript handlers to execute arbitrary…

  • CVE-2018-9082HigSep 28, 2018
    risk 0.57cvss 8.8epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens…

  • CVE-2018-9078HigSep 28, 2018
    risk 0.57cvss 8.8epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset.…

  • CVE-2018-9077HigSep 28, 2018
    risk 0.53cvss 8.1epss 0.02

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when changing the name of a share, an attacker can craft a command injection payload using backtick "``" characters in the share : name parameter. As a result, arbitrary commands may be executed…

  • CVE-2018-9076HigSep 28, 2018
    risk 0.53cvss 8.1epss 0.02

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when changing the name of a share, an attacker can craft a command injection payload using backtick "``" characters in the name parameter. As a result, arbitrary commands may be executed as the…

  • CVE-2018-9075HigSep 28, 2018
    risk 0.53cvss 8.1epss 0.04

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when joining a PersonalCloud setup, an attacker can craft a command injection payload using backtick "``" characters in the client:password parameter. As a result, arbitrary commands may be…

  • CVE-2018-9074MedSep 28, 2018
    risk 0.42cvss 6.5epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file upload functionality of the Content Explorer application is vulnerable to path traversal. As a result, users can upload files anywhere on the device's operating system as the root user.

  • CVE-2018-9080MedSep 28, 2018
    risk 0.38cvss 5.9epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, by setting the Iomega cookie to a known value before logging into the NAS's web application, the NAS will not provide the user a new cookie value. This allows an attacker who knows the cookie's…

  • CVE-2018-9081MedSep 28, 2018
    risk 0.31cvss 4.7epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible…