VYPR

Vendor CVEs

Lenovo

All CVEs

486 total · sorted by risk
  • CVE-2022-4435Jan 5, 2023
    risk 0.00cvss epss 0.00

    A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS LenovoRemoteConfigUpdateDxe driver that could allow a local attacker with elevated privileges to cause information disclosure.

  • CVE-2022-4434Jan 5, 2023
    risk 0.00cvss epss 0.00

    A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS driver that could allow a local attacker with elevated privileges to cause information disclosure.

  • CVE-2022-4433Jan 5, 2023
    risk 0.00cvss epss 0.00

    A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS LenovoSetupConfigDxe driver that could allow a local attacker with elevated privileges to cause information disclosure.

  • CVE-2022-4432Jan 5, 2023
    risk 0.00cvss epss 0.00

    A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS PersistenceConfigDxe driver that could allow a local attacker with elevated privileges to cause information disclosure.

  • CVE-2019-19705Dec 26, 2022
    risk 0.00cvss epss 0.00

    Realtek Audio Drivers for Windows, as used on the Lenovo ThinkPad X1 Carbon 20A7, 20A8, 20BS, and 20BT before 6.0.8882.1 and 20KH and 20KG before 6.0.8907.1 (and on many other Lenovo and non-Lenovo products), mishandles DLL preloading.

  • CVE-2022-1513Aug 23, 2022
    risk 0.00cvss epss 0.00

    A potential vulnerability was reported in Lenovo PCManager prior to version 5.0.10.4191 that may allow code execution when visiting a specially crafted website.

  • CVE-2022-1110May 18, 2022
    risk 0.00cvss epss 0.00

    A buffer overflow vulnerability in Lenovo Smart Standby Driver prior to version 4.1.50.0 could allow a local attacker to cause denial of service.

  • CVE-2021-42852May 18, 2022
    risk 0.00cvss epss 0.01

    A command injection vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an authenticated user to execute operating system commands by sending a crafted packet to the device.

  • CVE-2021-42851May 18, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account.

  • CVE-2021-42850May 18, 2022
    risk 0.00cvss epss 0.00

    A weak default administrator password for the web interface and serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical or local network access.

  • CVE-2021-42849May 18, 2022
    risk 0.00cvss epss 0.00

    A weak default password for the serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical access.

  • CVE-2021-42848May 18, 2022
    risk 0.00cvss epss 0.01

    An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details.

  • CVE-2021-3969May 18, 2022
    risk 0.00cvss epss 0.02

    A Time of Check Time of Use (TOCTOU) vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, prior to version 1.1.20.3that could allow a local attacker to elevate privileges.

  • CVE-2021-3956May 18, 2022
    risk 0.00cvss epss 0.01

    A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such…

  • CVE-2021-3922May 18, 2022
    risk 0.00cvss epss 0.02

    A race condition vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, prior to version 1.1.20.3 that could allow a local attacker to connect and interact with the IMController child process' named pipe.

  • CVE-2021-26317May 12, 2022
    risk 0.00cvss epss 0.00

    Failure to verify the protocol in SMM may allow an attacker to control the protocol and modify SPI flash resulting in a potential arbitrary code execution.

  • CVE-2021-26353May 10, 2022
    risk 0.00cvss epss 0.00

    Failure to validate inputs in SMM may allow an attacker to create a mishandled error leaving the DRTM UApp in a partially initialized state potentially resulting in loss of memory integrity.

  • CVE-2021-3897Apr 22, 2022
    risk 0.00cvss epss 0.01

    An authentication bypass vulnerability was discovered in an internal service of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware during an that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not…

  • CVE-2021-3849Apr 22, 2022
    risk 0.00cvss epss 0.01

    An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.

  • CVE-2022-1108Apr 22, 2022
    risk 0.00cvss epss 0.00

    A potential vulnerability due to improper buffer validation in the SMI handler LenovoFlashDeviceInterface in Thinkpad X1 Fold Gen 1 could be exploited by an attacker with local access and elevated privileges to execute arbitrary code.

  • CVE-2022-1107Apr 22, 2022
    risk 0.00cvss epss 0.00

    During an internal product security audit a potential vulnerability due to use of Boot Services in the SmmOEMInt15 SMI handler was discovered in some ThinkPad models could be exploited by an attacker with elevated privileges that could allow for execution of code.

  • CVE-2022-0636Apr 22, 2022
    risk 0.00cvss epss 0.00

    A denial of service vulnerability was reported in Lenovo Thin Installer prior to version 1.3.0039 that could trigger a system crash.

  • CVE-2022-0192Apr 22, 2022
    risk 0.00cvss epss 0.00

    A DLL search path vulnerability was reported in Lenovo PCManager prior to version 4.0.40.2175 that could allow privilege escalation.

  • CVE-2021-4212Apr 22, 2022
    risk 0.00cvss epss 0.00

    A potential vulnerability in the SMI callback function used in the Legacy BIOS mode driver in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.

  • CVE-2021-4211Apr 22, 2022
    risk 0.00cvss epss 0.00

    A potential vulnerability in the SMI callback function used in the SMBIOS event log driver in some Lenovo Desktop, ThinkStation, and ThinkEdge models may allow an attacker with local access and elevated privileges to execute arbitrary code.

  • CVE-2021-4210Apr 22, 2022
    risk 0.00cvss epss 0.00

    A potential vulnerability in the SMI callback function used in the NVME driver in some Lenovo Desktop, ThinkStation, and ThinkEdge models may allow an attacker with local access and elevated privileges to execute arbitrary code.

  • CVE-2021-3972Apr 22, 2022
    risk 0.00cvss epss 0.03

    A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

  • CVE-2021-3971Apr 22, 2022
    risk 0.00cvss epss 0.01

    A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM…

  • CVE-2021-3970Apr 22, 2022
    risk 0.00cvss epss 0.01

    A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models BIOS may allow an attacker with local access and elevated privileges to execute arbitrary code.

  • CVE-2021-3898Apr 22, 2022
    risk 0.00cvss epss 0.00

    Versions of Motorola Ready For and Motorola Device Help Android applications prior to 2021-04-08 do not properly verify the server certificate which could lead to the communication channel being accessible by an attacker.

  • CVE-2021-3722Apr 22, 2022
    risk 0.00cvss epss 0.00

    A denial of service vulnerability was reported in Lenovo PCManager prior to version 4.0.40.2175 that could allow configuration files to be written to non-standard locations during installation.

  • CVE-2021-3721Apr 22, 2022
    risk 0.00cvss epss 0.00

    A denial of service vulnerability was reported in Lenovo PCManager prior to version 4.0.20.10282 that could allow an attacker with local access to trigger a blue screen error.

  • CVE-2020-14118Apr 21, 2022
    risk 0.00cvss epss 0.01

    An intent redirection vulnerability in the Mi App Store product. This vulnerability is caused by the Mi App Store does not verify the validity of the incoming data, can cause the app store to automatically download and install apps.

  • CVE-2020-14121Apr 21, 2022
    risk 0.00cvss epss 0.00

    A business logic vulnerability exists in Mi App Store. The vulnerability is caused by incomplete permission checks of the products being bypassed, and an attacker can exploit the vulnerability to perform a local silent installation.

  • CVE-2021-39298Feb 16, 2022
    risk 0.00cvss epss 0.00

    A potential vulnerability in AMD System Management Mode (SMM) interrupt handler may allow an attacker with high privileges to access the SMM resulting in arbitrary code execution which could be used by malicious actors to bypass security mechanisms provided in the UEFI firmware.

  • CVE-2022-22554Jan 24, 2022
    risk 0.00cvss epss 0.00

    Dell EMC System Update, version 1.9.2 and prior, contain an Unprotected Storage of Credentials vulnerability. A local attacker with user privleges could potentially exploit this vulnerability leading to the disclosure of user passwords.

  • CVE-2021-37084Dec 7, 2021
    risk 0.00cvss epss 0.01

    There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to malicious invoking other functions of the Smart Assistant through text messages.

  • CVE-2021-3843Nov 12, 2021
    risk 0.00cvss epss 0.00

    A potential vulnerability in the SMI function to access EEPROM in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.

  • CVE-2021-3720Nov 12, 2021
    risk 0.00cvss epss 0.00

    An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data.

  • CVE-2021-3719Nov 12, 2021
    risk 0.00cvss epss 0.00

    A potential vulnerability in the SMI callback function that saves and restore boot script tables used for resuming from sleep state in some ThinkCentre and ThinkStation models may allow an attacker with local access and elevated privileges to execute arbitrary code.

  • CVE-2021-3718Nov 12, 2021
    risk 0.00cvss epss 0.00

    A denial of service vulnerability was reported in some ThinkPad models that could cause a system to crash when the Enhanced Biometrics setting is enabled in BIOS.

  • CVE-2021-3599Nov 12, 2021
    risk 0.00cvss epss 0.00

    A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.

  • CVE-2021-3633Aug 17, 2021
    risk 0.00cvss epss 0.00

    A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow privilege escalation.

  • CVE-2021-3617Aug 17, 2021
    risk 0.00cvss epss 0.02

    A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow command injection by setting a specially crafted network configuration. This vulnerability is the same as CNVD-2020-68652.

  • CVE-2021-3616Aug 17, 2021
    risk 0.00cvss epss 0.01

    A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow an unauthorized user to view device information, alter firmware content and device configuration. This vulnerability is the same as CNVD-2020-68651.

  • CVE-2021-3615Aug 17, 2021
    risk 0.00cvss epss 0.00

    A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow code execution if a specific file exists on the attached SD card. This vulnerability is the same as CNVD-2021-45262.

  • CVE-2021-3614Jul 16, 2021
    risk 0.00cvss epss 0.00

    A vulnerability was reported on some Lenovo Notebook systems that could allow an attacker with physical access to elevate privileges under certain conditions during a BIOS update performed by Lenovo Vantage.

  • CVE-2021-3550Jul 16, 2021
    risk 0.00cvss epss 0.00

    A DLL search path vulnerability was reported in Lenovo PCManager, prior to version 3.0.500.5102, that could allow privilege escalation.

  • CVE-2021-3453Jul 16, 2021
    risk 0.00cvss epss 0.00

    Some Lenovo Notebook, ThinkPad, and Lenovo Desktop systems have BIOS modules unprotected by Intel Boot Guard that could allow an attacker with physical access the ability to write to the SPI flash storage.

  • CVE-2021-3452Jul 16, 2021
    risk 0.00cvss epss 0.00

    A potential vulnerability in the system shutdown SMI callback function in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.

Page 7 of 10