VYPR

Vendor CVEs

Lenovo

All CVEs

486 total · sorted by risk
  • CVE-2017-5638CriKEVMar 11, 2017
    risk 0.86cvss 9.8epss 1.00

    The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type,…

  • CVE-2018-9079CriSep 28, 2018
    risk 0.64cvss 9.8epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, adversaries can craft URLs to modify the Document Object Model (DOM) of the page. In addition, adversaries can inject HTML script tags and HTML tags with JavaScript handlers to execute arbitrary…

  • CVE-2018-14066CriJul 15, 2018
    risk 0.64cvss 9.8epss 0.00

    The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as…

  • CVE-2017-3774CriApr 19, 2018
    risk 0.64cvss 9.8epss 0.01

    A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in some IBM servers. An attacker providing a crafted user ID and…

  • CVE-2017-3761CriOct 17, 2017
    risk 0.64cvss 9.8epss 0.04

    The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.

  • CVE-2017-3758CriOct 17, 2017
    risk 0.64cvss 9.8epss 0.03

    Improper access controls on several Android components in the Lenovo Service Framework application can be exploited to enable remote code execution.

  • CVE-2016-8233CriMar 1, 2017
    risk 0.64cvss 9.8epss 0.01

    Log files generated by Lenovo XClarity Administrator (LXCA) versions earlier than 1.2.2 may contain user credentials in a non-secure, clear text form that could be viewed by a non-privileged user.

  • CVE-2026-6281HigMay 13, 2026
    risk 0.57cvss 8.8epss 0.00

    A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.

  • CVE-2025-8557HigSep 11, 2025
    risk 0.57cvss 8.8epss 0.00

    An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability: An attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) network segment may be able to manipulate the local device to create an alternate…

  • CVE-2023-4856HigApr 15, 2024
    risk 0.57cvss 8.8epss 0.01

    A format string vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute arbitrary commands on a specific API endpoint.

  • CVE-2018-9082HigSep 28, 2018
    risk 0.57cvss 8.8epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens…

  • CVE-2018-9078HigSep 28, 2018
    risk 0.57cvss 8.8epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset.…

  • CVE-2018-9066HigJul 30, 2018
    risk 0.57cvss 8.8epss 0.02

    In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA's underlying operating system.

  • CVE-2018-9064HigJul 30, 2018
    risk 0.57cvss 8.8epss 0.01

    In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user.

  • CVE-2017-3770HigSep 22, 2017
    risk 0.57cvss 8.8epss 0.01

    Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 where an authenticated user may be able to abuse certain web interface functionality to execute privileged commands within the underlying LXCA operating system.

  • CVE-2016-8229HigJun 4, 2017
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery vulnerability in Lenovo Service Bridge before version 4 could be exploited by an attacker with access to the DHCP server used by the system where LSB is installed.

  • CVE-2016-4782HigMay 23, 2016
    risk 0.57cvss 8.8epss 0.02

    Lenovo SHAREit before 3.5.98_ww on Android before 4.2 allows remote attackers to have unspecified impact via a crafted intent: URL, aka an "intent scheme URL attack."

  • CVE-2016-1491HigJan 26, 2016
    risk 0.57cvss 8.8epss 0.02

    The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows, when configured to receive files, has a hardcoded password of 12345678, which makes it easier for remote attackers to obtain access by leveraging a position within the WLAN coverage area.

  • CVE-2026-6282HigMay 13, 2026
    risk 0.53cvss 8.1epss 0.00

    A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.

  • CVE-2024-6001HigDec 16, 2024
    risk 0.53cvss 8.1epss 0.00

    An improper certificate validation vulnerability was reported in LADM that could allow a network attacker with the ability to redirect an update request to a remote server and execute code with elevated privileges.

  • CVE-2018-9077HigSep 28, 2018
    risk 0.53cvss 8.1epss 0.02

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when changing the name of a share, an attacker can craft a command injection payload using backtick "``" characters in the share : name parameter. As a result, arbitrary commands may be executed…

  • CVE-2018-9076HigSep 28, 2018
    risk 0.53cvss 8.1epss 0.02

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when changing the name of a share, an attacker can craft a command injection payload using backtick "``" characters in the name parameter. As a result, arbitrary commands may be executed as the…

  • CVE-2018-9075HigSep 28, 2018
    risk 0.53cvss 8.1epss 0.04

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when joining a PersonalCloud setup, an attacker can craft a command injection payload using backtick "``" characters in the client:password parameter. As a result, arbitrary commands may be…

  • CVE-2017-3760HigOct 17, 2017
    risk 0.53cvss 8.1epss 0.01

    The Lenovo Service Framework Android application uses a set of nonsecure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.

  • CVE-2017-3759HigOct 17, 2017
    risk 0.53cvss 8.1epss 0.02

    The Lenovo Service Framework Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.

  • CVE-2017-3752HigAug 9, 2017
    risk 0.53cvss 8.2epss 0.00

    An industry-wide vulnerability has been identified in the implementation of the Open Shortest Path First (OSPF) routing protocol used on some Lenovo switches. Exploitation of these implementation flaws may result in attackers being able to erase or alter the routing tables of…

  • CVE-2016-8237HigApr 10, 2017
    risk 0.53cvss 8.1epss 0.03

    Remote code execution in Lenovo Updates (not Lenovo System Update) allows man-in-the-middle attackers to execute arbitrary code.

  • CVE-2016-5729HigJun 30, 2016
    risk 0.53cvss 8.2epss 0.00

    Lenovo BIOS EFI Driver allows local administrators to execute arbitrary code with System Management Mode (SMM) privileges via unspecified vectors.

  • CVE-2016-1489HigJan 26, 2016
    risk 0.52cvss 8.0epss 0.02

    Lenovo SHAREit before 3.2.0 for Windows and SHAREit before 3.5.48_ww for Android transfer files in cleartext, which allows remote attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors.

  • CVE-2026-9045HigJun 10, 2026
    risk 0.51cvss 7.8epss 0.00

    During an internal security assessment, a potential vulnerability was discovered in Lenovo Accessories and Display Manager for Enterprise for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges.

  • CVE-2026-8637HigJun 10, 2026
    risk 0.51cvss 7.8epss 0.00

    A potential uncontrolled search path vulnerability was reported in the LanSchool Classic client application that could allow a local authenticated user to execute arbitrary code with elevated privileges.

  • CVE-2026-4145HigApr 15, 2026
    risk 0.51cvss 7.8epss 0.00

    During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix that could allow a local authenticated user to perform arbitrary code execution with elevated privileges.

  • CVE-2019-25266HigFeb 6, 2026
    risk 0.51cvss 7.8epss 0.00

    Wondershare Application Framework Service 2.4.3.231 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted service path by placing malicious executables in…

  • CVE-2020-37048HigFeb 1, 2026
    risk 0.51cvss 7.8epss 0.00

    Iskysoft Application Framework Service 2.4.3.241 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious…

  • CVE-2025-13155HigDec 10, 2025
    risk 0.51cvss 7.8epss 0.00

    An improper permissions vulnerability was reported in Lenovo Baiying Client that could allow a local authenticated user to execute code with elevated privileges.

  • CVE-2025-13152HigDec 10, 2025
    risk 0.51cvss 7.8epss 0.00

    A potential DLL hijacking vulnerability was reported in Lenovo One Client during an internal security assessment that could allow a local authenticated user to execute code with elevated privileges.

  • CVE-2025-12046HigDec 10, 2025
    risk 0.51cvss 7.8epss 0.00

    A DLL hijacking vulnerability was reported in the Lenovo App Store and Lenovo Browser applications that could allow a local authenticated user to execute code with elevated privileges under certain conditions.

  • CVE-2025-0886HigJul 17, 2025
    risk 0.51cvss 7.8epss 0.00

    An incorrect permissions vulnerability was reported in Elliptic Labs Virtual Lock Sensor that could allow a local, authenticated user to escalate privileges.

  • CVE-2024-12673HigFeb 12, 2025
    risk 0.51cvss 7.8epss 0.00

    An improper privilege vulnerability was reported in a BIOS customization feature of Lenovo Vantage on SMB notebook devices which could allow a local attacker to elevate privileges on the system. This vulnerability only affects Vantage installed on these devices: * Lenovo V…

  • CVE-2024-33582HigOct 11, 2024
    risk 0.51cvss 7.8epss 0.00

    A DLL hijack vulnerability was reported in Lenovo Service Framework that could allow a local attacker to execute code with elevated privileges.

  • CVE-2024-33581HigOct 11, 2024
    risk 0.51cvss 7.8epss 0.00

    A DLL hijack vulnerability was reported in Lenovo PC Manager AI intelligent scenario that could allow a local attacker to execute code with elevated privileges.

  • CVE-2024-33580HigOct 11, 2024
    risk 0.51cvss 7.8epss 0.00

    A DLL hijack vulnerability was reported in Lenovo Personal Cloud that could allow a local attacker to execute code with elevated privileges.

  • CVE-2024-33579HigOct 11, 2024
    risk 0.51cvss 7.8epss 0.00

    A DLL hijack vulnerability was reported in Lenovo Baiying that could allow a local attacker to execute code with elevated privileges.

  • CVE-2024-33578HigOct 11, 2024
    risk 0.51cvss 7.8epss 0.00

    A DLL hijack vulnerability was reported in Lenovo Leyun that could allow a local attacker to execute code with elevated privileges.

  • CVE-2024-4763HigAug 16, 2024
    risk 0.51cvss 7.8epss 0.00

    An insecure driver vulnerability was reported in Lenovo Display Control Center (LDCC) and Lenovo Accessories and Display Manager (LADM) that could allow a local attacker to escalate privileges to kernel.

  • CVE-2024-2175HigAug 16, 2024
    risk 0.51cvss 7.8epss 0.00

    An insecure permissions vulnerability was reported in Lenovo Display Control Center (LDCC) and Lenovo Accessories and Display Manager (LADM) that could allow a local attacker to escalate privileges.

  • CVE-2018-9063HigMay 4, 2018
    risk 0.51cvss 7.8epss 0.00

    MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as…

  • CVE-2017-3762HigJan 26, 2018
    risk 0.51cvss 7.8epss 0.00

    Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local…

  • CVE-2017-3767HigNov 13, 2017
    risk 0.51cvss 7.8epss 0.00

    A local privilege escalation vulnerability was identified in the Realtek audio driver versions prior to 6.0.1.8224 in some Lenovo ThinkPad products. An attacker with local privileges could execute code with administrative privileges.

  • CVE-2015-6971HigOct 3, 2017
    risk 0.51cvss 7.8epss 0.00

    Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the System Update service (SUService.exe) and gain privileges by launching signed Lenovo executables.

Page 1 of 10