Vendor CVEs
Lenovo
All CVEs
486 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-21322 | 0.00 | — | 0.01 | Feb 11, 2025 | Microsoft PC Manager Elevation of Privilege Vulnerability | |||
| CVE-2024-49051 | 0.00 | — | 0.01 | Nov 12, 2024 | Microsoft PC Manager Elevation of Privilege Vulnerability | |||
| CVE-2024-9046 | 0.00 | — | 0.00 | Oct 11, 2024 | A DLL hijack vulnerability was reported in Lenovo stARstudio that could allow a local attacker to execute code with elevated privileges. | |||
| CVE-2024-4132 | 0.00 | — | 0.00 | Oct 11, 2024 | A DLL hijack vulnerability was reported in Lenovo Lock Screen that could allow a local attacker to execute code with elevated privileges. | |||
| CVE-2024-4130 | 0.00 | — | 0.00 | Oct 11, 2024 | A DLL hijack vulnerability was reported in Lenovo App Store that could allow a local attacker to execute code with elevated privileges. | |||
| CVE-2024-4089 | 0.00 | — | 0.00 | Oct 11, 2024 | A DLL hijack vulnerability was reported in Lenovo Super File that could allow a local attacker to execute code with elevated privileges. | |||
| CVE-2024-5474 | 0.00 | — | 0.00 | Oct 11, 2024 | A potential information disclosure vulnerability was reported in Lenovo's packaging of Dolby Vision Provisioning software prior to version 2.0.0.2 that could allow a local attacker to read files on the system with elevated privileges during installation of the package.… | |||
| CVE-2024-45104 | 0.00 | — | 0.00 | Sep 13, 2024 | A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call. | |||
| CVE-2024-45103 | 0.00 | — | 0.00 | Sep 13, 2024 | A valid, authenticated LXCA user may be able to unmanage an LXCA managed device in through the LXCA web interface without sufficient privileges. | |||
| CVE-2024-33975 | 0.00 | — | 0.00 | Aug 6, 2024 | Cross-Site Scripting (XSS) vulnerability in E-Negosyo System affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload to an authenticated user and partially take over their browser session via 'view' parameter in… | |||
| CVE-2017-3772 | 0.00 | — | 0.00 | Jul 31, 2024 | A vulnerability was reported in Lenovo PC Manager versions prior to 2.6.40.3154 that could allow an attacker to cause a system reboot. | |||
| CVE-2019-6197 | 0.00 | — | 0.00 | Jul 31, 2024 | A vulnerability was reported in Lenovo PC Manager prior to version 2.8.90.11211 that could allow a local attacker to escalate privileges. | |||
| CVE-2019-6198 | 0.00 | — | 0.00 | Jul 31, 2024 | A vulnerability was reported in Lenovo PC Manager prior to version 2.8.90.11211 that could allow a local attacker to escalate privileges. | |||
| CVE-2023-1577 | 0.00 | — | 0.00 | Jul 31, 2024 | A path hijacking vulnerability was reported in Lenovo Driver Manager prior to version 3.1.1307.1308 that could allow a local user to execute code with elevated privileges. | |||
| CVE-2024-2659 | 0.00 | — | 0.01 | Apr 15, 2024 | A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute system commands when performing a specific administrative function. | |||
| CVE-2024-23591 | 0.00 | — | 0.00 | Feb 16, 2024 | ThinkSystem SR670V2 servers manufactured from approximately June 2021 to July 2023 were left in Manufacturing Mode which could allow an attacker with privileged logical access to the host or physical access to server internals to modify or disable Intel Boot Guard firmware… | |||
| CVE-2023-6450 | 0.00 | — | 0.00 | Jan 19, 2024 | An incorrect permissions vulnerability was reported in the Lenovo App Store app that could allow an attacker to use system resources, resulting in a denial of service. | |||
| CVE-2023-6044 | 0.00 | — | 0.00 | Jan 19, 2024 | A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker with physical access to impersonate Lenovo Vantage Service and execute arbitrary code with elevated privileges. | |||
| CVE-2023-6043 | 0.00 | — | 0.00 | Jan 19, 2024 | A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker to bypass integrity checks and execute arbitrary code with elevated privileges. | |||
| CVE-2023-5081 | 0.00 | — | 0.00 | Jan 19, 2024 | An information disclosure vulnerability was reported in the Lenovo Tab M8 HD that could allow a local application to gather a non-resettable device identifier. | |||
| CVE-2023-5080 | 0.00 | — | 0.00 | Jan 19, 2024 | A privilege escalation vulnerability was reported in some Lenovo tablet products that could allow local applications access to device identifiers and system commands. | |||
| CVE-2023-6540 | 0.00 | — | 0.01 | Jan 3, 2024 | A vulnerability was reported in the Lenovo Browser Mobile and Lenovo Browser HD Apps for Android that could allow an attacker to craft a payload that could result in the disclosure of sensitive information. | |||
| CVE-2023-6338 | 0.00 | — | 0.00 | Jan 3, 2024 | Uncontrolled search path vulnerabilities were reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated privileges. | |||
| CVE-2023-45079 | 0.00 | — | 0.00 | Nov 8, 2023 | A memory leakage vulnerability was reported in the NvmramSmm SMM driver that may allow a local attacker with elevated privileges to write to NVRAM variables. | |||
| CVE-2023-45078 | 0.00 | — | 0.00 | Nov 8, 2023 | A memory leakage vulnerability was reported in the DustFilterAlertSmm SMM driver that may allow a local attacker with elevated privileges to write to NVRAM variables. | |||
| CVE-2023-45077 | 0.00 | — | 0.00 | Nov 8, 2023 | A memory leakage vulnerability was reported in the 534D0740 DXE driver that may allow a local attacker with elevated privileges to write to NVRAM variables. | |||
| CVE-2023-45076 | 0.00 | — | 0.00 | Nov 8, 2023 | A memory leakage vulnerability was reported in the 534D0140 DXE driver that may allow a local attacker with elevated privileges to write to NVRAM variables. | |||
| CVE-2023-45075 | 0.00 | — | 0.00 | Nov 8, 2023 | A memory leakage vulnerability was reported in the SWSMI_Shadow DXE driver that may allow a local attacker with elevated privileges to write to NVRAM variables. | |||
| CVE-2023-43581 | 0.00 | — | 0.00 | Nov 8, 2023 | A buffer overflow was reported in the Update_WMI module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code. | |||
| CVE-2023-43580 | 0.00 | — | 0.00 | Nov 8, 2023 | A buffer overflow was reported in the SmuV11DxeVMR module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code. | |||
| CVE-2023-43578 | 0.00 | — | 0.00 | Nov 8, 2023 | A buffer overflow was reported in the SmiFlash module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code. | |||
| CVE-2023-43567 | 0.00 | — | 0.00 | Nov 8, 2023 | A buffer overflow was reported in the LemSecureBootForceKey module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code. | |||
| CVE-2023-5079 | 0.00 | — | 0.01 | Nov 8, 2023 | Lenovo LeCloud App improper input validation allows attackers to access arbitrary components and arbitrary file downloads, which could result in information disclosure. | |||
| CVE-2023-5078 | 0.00 | — | 0.00 | Nov 8, 2023 | A vulnerability was reported in some ThinkPad BIOS that could allow a physical or local attacker with elevated privileges to tamper with BIOS firmware. | |||
| CVE-2023-5075 | 0.00 | — | 0.00 | Nov 8, 2023 | A buffer overflow was reported in the FmpSipoCapsuleDriver driver in the IdeaPad Duet 3-10IGL5 that may allow a local attacker with elevated privileges to execute arbitrary code. | |||
| CVE-2023-4632 | 0.00 | — | 0.00 | Nov 8, 2023 | An uncontrolled search path vulnerability was reported in Lenovo System Update that could allow an attacker with local access to execute code with elevated privileges. | |||
| CVE-2022-4575 | 0.00 | — | 0.00 | Oct 30, 2023 | A vulnerability due to improper write protection of UEFI variables was reported in the BIOS of some ThinkPad models could allow an attacker with physical or local access and elevated privileges the ability to bypass Secure Boot. | |||
| CVE-2022-48189 | 0.00 | — | 0.00 | Oct 30, 2023 | An SMM driver input validation vulnerability in the BIOS of some ThinkPad models could allow an attacker with local access and elevated privileges to execute arbitrary code. | |||
| CVE-2022-4574 | 0.00 | — | 0.00 | Oct 30, 2023 | An SMI handler input validation vulnerability in the BIOS of some ThinkPad models could allow an attacker with local access and elevated privileges to execute arbitrary code. | |||
| CVE-2022-4573 | 0.00 | — | 0.00 | Oct 30, 2023 | An SMI handler input validation vulnerability in the ThinkPad X1 Fold Gen 1 could allow an attacker with local access and elevated privileges to execute arbitrary code. | |||
| CVE-2022-3702 | 0.00 | — | 0.00 | Oct 27, 2023 | A denial of service vulnerability was reported in Lenovo Vantage HardwareScan Plugin version 1.3.0.5 and earlier that could allow a local attacker to delete contents of an arbitrary directory under certain conditions. | |||
| CVE-2022-3701 | 0.00 | — | 0.00 | Oct 27, 2023 | A privilege elevation vulnerability was reported in the Lenovo Vantage SystemUpdate plugin version 2.0.0.212 and earlier that could allow a local attacker to execute arbitrary code with elevated privileges. | |||
| CVE-2022-3700 | 0.00 | — | 0.00 | Oct 27, 2023 | A Time of Check Time of Use (TOCTOU) vulnerability was reported in the Lenovo Vantage SystemUpdate Plugin version 2.0.0.212 and earlier that could allow a local attacker to delete arbitrary files. | |||
| CVE-2022-3611 | 0.00 | — | 0.00 | Oct 27, 2023 | An information disclosure vulnerability has been identified in the Lenovo App Store which may allow some applications to gain unauthorized access to sensitive user data used by other unrelated applications. | |||
| CVE-2022-3429 | 0.00 | — | 0.00 | Oct 27, 2023 | A denial-of-service vulnerability was found in the firmware used in Lenovo printers, where users send illegal or malformed strings to an open port, triggering a denial of service that causes a display error and prevents the printer from functioning properly. | |||
| CVE-2022-3698 | 0.00 | — | 0.00 | Oct 24, 2023 | A denial of service vulnerability was reported in the Lenovo HardwareScanPlugin versions prior to 1.3.1.2 and Lenovo Diagnostics versions prior to 4.45 that could allow a local user with administrative access to trigger a system crash. | |||
| CVE-2022-0353 | 0.00 | — | 0.00 | Oct 24, 2023 | A denial of service vulnerability was reported in the Lenovo HardwareScanPlugin versions prior to 1.3.1.2 and Lenovo Diagnostics versions prior to 4.45 that could allow a local user with administrative access to trigger a system crash. | |||
| CVE-2023-3112 | 0.00 | — | 0.00 | Oct 24, 2023 | A vulnerability was reported in Elliptic Labs Virtual Lock Sensor for ThinkPad T14 Gen 3 that could allow an attacker with local access to execute code with elevated privileges. | |||
| CVE-2023-4608 | 0.00 | — | 0.00 | Oct 24, 2023 | An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected. | |||
| CVE-2023-4607 | 0.00 | — | 0.00 | Oct 24, 2023 | An authenticated XCC user can change permissions for any user through a crafted API command. |
- CVE-2025-21322Feb 11, 2025risk 0.00cvss —epss 0.01
Microsoft PC Manager Elevation of Privilege Vulnerability
- CVE-2024-49051Nov 12, 2024risk 0.00cvss —epss 0.01
Microsoft PC Manager Elevation of Privilege Vulnerability
- CVE-2024-9046Oct 11, 2024risk 0.00cvss —epss 0.00
A DLL hijack vulnerability was reported in Lenovo stARstudio that could allow a local attacker to execute code with elevated privileges.
- CVE-2024-4132Oct 11, 2024risk 0.00cvss —epss 0.00
A DLL hijack vulnerability was reported in Lenovo Lock Screen that could allow a local attacker to execute code with elevated privileges.
- CVE-2024-4130Oct 11, 2024risk 0.00cvss —epss 0.00
A DLL hijack vulnerability was reported in Lenovo App Store that could allow a local attacker to execute code with elevated privileges.
- CVE-2024-4089Oct 11, 2024risk 0.00cvss —epss 0.00
A DLL hijack vulnerability was reported in Lenovo Super File that could allow a local attacker to execute code with elevated privileges.
- CVE-2024-5474Oct 11, 2024risk 0.00cvss —epss 0.00
A potential information disclosure vulnerability was reported in Lenovo's packaging of Dolby Vision Provisioning software prior to version 2.0.0.2 that could allow a local attacker to read files on the system with elevated privileges during installation of the package.…
- CVE-2024-45104Sep 13, 2024risk 0.00cvss —epss 0.00
A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call.
- CVE-2024-45103Sep 13, 2024risk 0.00cvss —epss 0.00
A valid, authenticated LXCA user may be able to unmanage an LXCA managed device in through the LXCA web interface without sufficient privileges.
- CVE-2024-33975Aug 6, 2024risk 0.00cvss —epss 0.00
Cross-Site Scripting (XSS) vulnerability in E-Negosyo System affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload to an authenticated user and partially take over their browser session via 'view' parameter in…
- CVE-2017-3772Jul 31, 2024risk 0.00cvss —epss 0.00
A vulnerability was reported in Lenovo PC Manager versions prior to 2.6.40.3154 that could allow an attacker to cause a system reboot.
- CVE-2019-6197Jul 31, 2024risk 0.00cvss —epss 0.00
A vulnerability was reported in Lenovo PC Manager prior to version 2.8.90.11211 that could allow a local attacker to escalate privileges.
- CVE-2019-6198Jul 31, 2024risk 0.00cvss —epss 0.00
A vulnerability was reported in Lenovo PC Manager prior to version 2.8.90.11211 that could allow a local attacker to escalate privileges.
- CVE-2023-1577Jul 31, 2024risk 0.00cvss —epss 0.00
A path hijacking vulnerability was reported in Lenovo Driver Manager prior to version 3.1.1307.1308 that could allow a local user to execute code with elevated privileges.
- CVE-2024-2659Apr 15, 2024risk 0.00cvss —epss 0.01
A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute system commands when performing a specific administrative function.
- CVE-2024-23591Feb 16, 2024risk 0.00cvss —epss 0.00
ThinkSystem SR670V2 servers manufactured from approximately June 2021 to July 2023 were left in Manufacturing Mode which could allow an attacker with privileged logical access to the host or physical access to server internals to modify or disable Intel Boot Guard firmware…
- CVE-2023-6450Jan 19, 2024risk 0.00cvss —epss 0.00
An incorrect permissions vulnerability was reported in the Lenovo App Store app that could allow an attacker to use system resources, resulting in a denial of service.
- CVE-2023-6044Jan 19, 2024risk 0.00cvss —epss 0.00
A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker with physical access to impersonate Lenovo Vantage Service and execute arbitrary code with elevated privileges.
- CVE-2023-6043Jan 19, 2024risk 0.00cvss —epss 0.00
A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker to bypass integrity checks and execute arbitrary code with elevated privileges.
- CVE-2023-5081Jan 19, 2024risk 0.00cvss —epss 0.00
An information disclosure vulnerability was reported in the Lenovo Tab M8 HD that could allow a local application to gather a non-resettable device identifier.
- CVE-2023-5080Jan 19, 2024risk 0.00cvss —epss 0.00
A privilege escalation vulnerability was reported in some Lenovo tablet products that could allow local applications access to device identifiers and system commands.
- CVE-2023-6540Jan 3, 2024risk 0.00cvss —epss 0.01
A vulnerability was reported in the Lenovo Browser Mobile and Lenovo Browser HD Apps for Android that could allow an attacker to craft a payload that could result in the disclosure of sensitive information.
- CVE-2023-6338Jan 3, 2024risk 0.00cvss —epss 0.00
Uncontrolled search path vulnerabilities were reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated privileges.
- CVE-2023-45079Nov 8, 2023risk 0.00cvss —epss 0.00
A memory leakage vulnerability was reported in the NvmramSmm SMM driver that may allow a local attacker with elevated privileges to write to NVRAM variables.
- CVE-2023-45078Nov 8, 2023risk 0.00cvss —epss 0.00
A memory leakage vulnerability was reported in the DustFilterAlertSmm SMM driver that may allow a local attacker with elevated privileges to write to NVRAM variables.
- CVE-2023-45077Nov 8, 2023risk 0.00cvss —epss 0.00
A memory leakage vulnerability was reported in the 534D0740 DXE driver that may allow a local attacker with elevated privileges to write to NVRAM variables.
- CVE-2023-45076Nov 8, 2023risk 0.00cvss —epss 0.00
A memory leakage vulnerability was reported in the 534D0140 DXE driver that may allow a local attacker with elevated privileges to write to NVRAM variables.
- CVE-2023-45075Nov 8, 2023risk 0.00cvss —epss 0.00
A memory leakage vulnerability was reported in the SWSMI_Shadow DXE driver that may allow a local attacker with elevated privileges to write to NVRAM variables.
- CVE-2023-43581Nov 8, 2023risk 0.00cvss —epss 0.00
A buffer overflow was reported in the Update_WMI module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.
- CVE-2023-43580Nov 8, 2023risk 0.00cvss —epss 0.00
A buffer overflow was reported in the SmuV11DxeVMR module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.
- CVE-2023-43578Nov 8, 2023risk 0.00cvss —epss 0.00
A buffer overflow was reported in the SmiFlash module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.
- CVE-2023-43567Nov 8, 2023risk 0.00cvss —epss 0.00
A buffer overflow was reported in the LemSecureBootForceKey module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.
- CVE-2023-5079Nov 8, 2023risk 0.00cvss —epss 0.01
Lenovo LeCloud App improper input validation allows attackers to access arbitrary components and arbitrary file downloads, which could result in information disclosure.
- CVE-2023-5078Nov 8, 2023risk 0.00cvss —epss 0.00
A vulnerability was reported in some ThinkPad BIOS that could allow a physical or local attacker with elevated privileges to tamper with BIOS firmware.
- CVE-2023-5075Nov 8, 2023risk 0.00cvss —epss 0.00
A buffer overflow was reported in the FmpSipoCapsuleDriver driver in the IdeaPad Duet 3-10IGL5 that may allow a local attacker with elevated privileges to execute arbitrary code.
- CVE-2023-4632Nov 8, 2023risk 0.00cvss —epss 0.00
An uncontrolled search path vulnerability was reported in Lenovo System Update that could allow an attacker with local access to execute code with elevated privileges.
- CVE-2022-4575Oct 30, 2023risk 0.00cvss —epss 0.00
A vulnerability due to improper write protection of UEFI variables was reported in the BIOS of some ThinkPad models could allow an attacker with physical or local access and elevated privileges the ability to bypass Secure Boot.
- CVE-2022-48189Oct 30, 2023risk 0.00cvss —epss 0.00
An SMM driver input validation vulnerability in the BIOS of some ThinkPad models could allow an attacker with local access and elevated privileges to execute arbitrary code.
- CVE-2022-4574Oct 30, 2023risk 0.00cvss —epss 0.00
An SMI handler input validation vulnerability in the BIOS of some ThinkPad models could allow an attacker with local access and elevated privileges to execute arbitrary code.
- CVE-2022-4573Oct 30, 2023risk 0.00cvss —epss 0.00
An SMI handler input validation vulnerability in the ThinkPad X1 Fold Gen 1 could allow an attacker with local access and elevated privileges to execute arbitrary code.
- CVE-2022-3702Oct 27, 2023risk 0.00cvss —epss 0.00
A denial of service vulnerability was reported in Lenovo Vantage HardwareScan Plugin version 1.3.0.5 and earlier that could allow a local attacker to delete contents of an arbitrary directory under certain conditions.
- CVE-2022-3701Oct 27, 2023risk 0.00cvss —epss 0.00
A privilege elevation vulnerability was reported in the Lenovo Vantage SystemUpdate plugin version 2.0.0.212 and earlier that could allow a local attacker to execute arbitrary code with elevated privileges.
- CVE-2022-3700Oct 27, 2023risk 0.00cvss —epss 0.00
A Time of Check Time of Use (TOCTOU) vulnerability was reported in the Lenovo Vantage SystemUpdate Plugin version 2.0.0.212 and earlier that could allow a local attacker to delete arbitrary files.
- CVE-2022-3611Oct 27, 2023risk 0.00cvss —epss 0.00
An information disclosure vulnerability has been identified in the Lenovo App Store which may allow some applications to gain unauthorized access to sensitive user data used by other unrelated applications.
- CVE-2022-3429Oct 27, 2023risk 0.00cvss —epss 0.00
A denial-of-service vulnerability was found in the firmware used in Lenovo printers, where users send illegal or malformed strings to an open port, triggering a denial of service that causes a display error and prevents the printer from functioning properly.
- CVE-2022-3698Oct 24, 2023risk 0.00cvss —epss 0.00
A denial of service vulnerability was reported in the Lenovo HardwareScanPlugin versions prior to 1.3.1.2 and Lenovo Diagnostics versions prior to 4.45 that could allow a local user with administrative access to trigger a system crash.
- CVE-2022-0353Oct 24, 2023risk 0.00cvss —epss 0.00
A denial of service vulnerability was reported in the Lenovo HardwareScanPlugin versions prior to 1.3.1.2 and Lenovo Diagnostics versions prior to 4.45 that could allow a local user with administrative access to trigger a system crash.
- CVE-2023-3112Oct 24, 2023risk 0.00cvss —epss 0.00
A vulnerability was reported in Elliptic Labs Virtual Lock Sensor for ThinkPad T14 Gen 3 that could allow an attacker with local access to execute code with elevated privileges.
- CVE-2023-4608Oct 24, 2023risk 0.00cvss —epss 0.00
An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
- CVE-2023-4607Oct 24, 2023risk 0.00cvss —epss 0.00
An authenticated XCC user can change permissions for any user through a crafted API command.
Page 5 of 10