VYPR
Get started
← All vendors
Vendor

Lenovo

Sign in to watch
Products
378
CVEs
72
Across products
557
Status
Private

Products

378

Recent CVEs

72
CVESevRiskCVSSEPSSKEVPublishedDescription
CVE-2017-5638Cri0.859.80.94KEVMar 11, 2017The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
CVE-2017-3761Cri0.649.80.05Oct 17, 2017The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.
CVE-2017-3758Cri0.649.80.02Oct 17, 2017Improper access controls on several Android components in the Lenovo Service Framework application can be exploited to enable remote code execution.
CVE-2017-3770Hig0.578.80.00Sep 22, 2017Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 where an authenticated user may be able to abuse certain web interface functionality to execute privileged commands within the underlying LXCA operating system.
CVE-2016-8229Hig0.578.80.00Jun 4, 2017A cross-site request forgery vulnerability in Lenovo Service Bridge before version 4 could be exploited by an attacker with access to the DHCP server used by the system where LSB is installed.
CVE-2016-4782Hig0.578.80.01May 23, 2016Lenovo SHAREit before 3.5.98_ww on Android before 4.2 allows remote attackers to have unspecified impact via a crafted intent: URL, aka an "intent scheme URL attack."
CVE-2016-1491Hig0.578.80.02Jan 26, 2016The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows, when configured to receive files, has a hardcoded password of 12345678, which makes it easier for remote attackers to obtain access by leveraging a position within the WLAN coverage area.
CVE-2017-3760Hig0.538.10.01Oct 17, 2017The Lenovo Service Framework Android application uses a set of nonsecure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
CVE-2017-3759Hig0.538.10.01Oct 17, 2017The Lenovo Service Framework Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
CVE-2017-3752Hig0.538.20.00Aug 9, 2017An industry-wide vulnerability has been identified in the implementation of the Open Shortest Path First (OSPF) routing protocol used on some Lenovo switches. Exploitation of these implementation flaws may result in attackers being able to erase or alter the routing tables of one or many routers, switches, or other devices that support OSPF within a routing domain.
CVE-2016-8237Hig0.538.10.02Apr 10, 2017Remote code execution in Lenovo Updates (not Lenovo System Update) allows man-in-the-middle attackers to execute arbitrary code.
CVE-2016-5729Hig0.538.20.00Jun 30, 2016Lenovo BIOS EFI Driver allows local administrators to execute arbitrary code with System Management Mode (SMM) privileges via unspecified vectors.
CVE-2016-1489Hig0.528.00.01Jan 26, 2016Lenovo SHAREit before 3.2.0 for Windows and SHAREit before 3.5.48_ww for Android transfer files in cleartext, which allows remote attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors.
CVE-2017-3746Hig0.517.80.00Aug 29, 2017ThinkPad USB 3.0 Ethernet Adapter (part number 4X90E51405) driver, various versions, was found to contain a privilege escalation vulnerability that could allow a local user to execute arbitrary code with administrative or system level privileges.
CVE-2017-3756Hig0.517.80.00Aug 18, 2017A privilege escalation vulnerability was identified in Lenovo Active Protection System for ThinkPad systems versions earlier than 1.82.0.17. An attacker with local privileges could execute code with administrative privileges via an unquoted service path.
CVE-2017-3751Hig0.517.80.00Aug 10, 2017An unquoted service path vulnerability was identified in the driver for the ThinkPad Compact USB Keyboard with TrackPoint versions earlier than 1.5.5.0. This could allow an attacker with local privileges to execute code with administrative privileges.
CVE-2017-3745Hig0.517.80.00Jun 20, 2017In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA's internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers.
CVE-2015-4596Hig0.517.80.00Jun 13, 2017Lenovo Mouse Suite before 6.73 allows local users to run arbitrary code with administrator privileges.
CVE-2016-8228Hig0.517.80.00Jun 4, 2017In Lenovo Service Bridge before version 4, a user with local privileges on a system could execute code with administrative privileges.
CVE-2016-8235Hig0.517.80.00Apr 10, 2017Privilege escalation in Lenovo Customer Care Software Development Kit (CCSDK) versions earlier than 2.0.16.3 allows local users to execute code with elevated privileges.