VYPR
Vendor

Lenovo

Products
505
CVEs
486
Across products
358
Status
Private

Products

505
View all 505 products →

Recent CVEs

486
View all 486 CVEs →
  • CVE-2017-5638CriKEVMar 11, 2017
    risk 0.86cvss 9.8epss 1.00

    The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type,…

  • CVE-2018-9079CriSep 28, 2018
    risk 0.64cvss 9.8epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, adversaries can craft URLs to modify the Document Object Model (DOM) of the page. In addition, adversaries can inject HTML script tags and HTML tags with JavaScript handlers to execute arbitrary…

  • CVE-2018-14066CriJul 15, 2018
    risk 0.64cvss 9.8epss 0.00

    The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as…

  • CVE-2017-3774CriApr 19, 2018
    risk 0.64cvss 9.8epss 0.01

    A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in some IBM servers. An attacker providing a crafted user ID and…

  • CVE-2017-3761CriOct 17, 2017
    risk 0.64cvss 9.8epss 0.04

    The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.

  • CVE-2017-3758CriOct 17, 2017
    risk 0.64cvss 9.8epss 0.03

    Improper access controls on several Android components in the Lenovo Service Framework application can be exploited to enable remote code execution.

  • CVE-2016-8233CriMar 1, 2017
    risk 0.64cvss 9.8epss 0.01

    Log files generated by Lenovo XClarity Administrator (LXCA) versions earlier than 1.2.2 may contain user credentials in a non-secure, clear text form that could be viewed by a non-privileged user.

  • CVE-2026-6281HigMay 13, 2026
    risk 0.57cvss 8.8epss 0.00

    A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.

  • CVE-2025-8557HigSep 11, 2025
    risk 0.57cvss 8.8epss 0.00

    An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability: An attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) network segment may be able to manipulate the local device to create an alternate…

  • CVE-2023-4856HigApr 15, 2024
    risk 0.57cvss 8.8epss 0.01

    A format string vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute arbitrary commands on a specific API endpoint.

  • CVE-2018-9082HigSep 28, 2018
    risk 0.57cvss 8.8epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens…

  • CVE-2018-9078HigSep 28, 2018
    risk 0.57cvss 8.8epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset.…

  • CVE-2018-9066HigJul 30, 2018
    risk 0.57cvss 8.8epss 0.02

    In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA's underlying operating system.

  • CVE-2018-9064HigJul 30, 2018
    risk 0.57cvss 8.8epss 0.01

    In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user.

  • CVE-2017-3770HigSep 22, 2017
    risk 0.57cvss 8.8epss 0.01

    Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 where an authenticated user may be able to abuse certain web interface functionality to execute privileged commands within the underlying LXCA operating system.

  • CVE-2016-8229HigJun 4, 2017
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery vulnerability in Lenovo Service Bridge before version 4 could be exploited by an attacker with access to the DHCP server used by the system where LSB is installed.

  • CVE-2016-4782HigMay 23, 2016
    risk 0.57cvss 8.8epss 0.02

    Lenovo SHAREit before 3.5.98_ww on Android before 4.2 allows remote attackers to have unspecified impact via a crafted intent: URL, aka an "intent scheme URL attack."

  • CVE-2016-1491HigJan 26, 2016
    risk 0.57cvss 8.8epss 0.02

    The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows, when configured to receive files, has a hardcoded password of 12345678, which makes it easier for remote attackers to obtain access by leveraging a position within the WLAN coverage area.

  • CVE-2026-6282HigMay 13, 2026
    risk 0.53cvss 8.1epss 0.00

    A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.

  • CVE-2024-6001HigDec 16, 2024
    risk 0.53cvss 8.1epss 0.00

    An improper certificate validation vulnerability was reported in LADM that could allow a network attacker with the ability to redirect an update request to a remote server and execute code with elevated privileges.