Sign-up

ID

VAR-201809-1096


CVE

CVE-2018-9078


TITLE

plural Lenovo Vulnerabilities related to security functions in product devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-013140

DESCRIPTION

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file. Iomega , Lenovo , LenovoEMC NAS The device contains vulnerabilities related to security functions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lenovo Iomega StorCenter px12-450r and others are all storage devices of China Lenovo (Lenovo). There are security vulnerabilities in the Web UI of several Lenovo products using firmware 4.1.402.34662 and earlier versions. An attacker could exploit this vulnerability to elevate privileges by uploading an SVG image with arbitrary JavaScript code. The following products are affected: Lenovo Iomega StorCenter px12-450r, StorCenter px12-400r, StorCenter px4-300r, StorCenter px6-300d, StorCenter px4-300d, StorCenter px2-300d, StorCenter ix4-300d, StorCenter ix2/ix2-dl, EZ Media & Backup Center; LenovoEMC px12-450r, px12-400r, px4-400r, px4-300r, px6-300d, px4-400d, px4-300d, px2-300d; Lenovo ix4-300d, ix2, EZ Media & Backup Center

Trust: 1.71

sources: NVD: CVE-2018-9078 // JVNDB: JVNDB-2018-013140 // VULHUB: VHN-139110

AFFECTED PRODUCTS

vendor:lenovomodel:storcenter px12-400rscope:eqversion:4.1.402.34662

Trust: 1.6

vendor:lenovomodel:storcenter px4-300rscope:eqversion:4.1.402.34662

Trust: 1.6

vendor:lenovomodel:storcenter px2-300dscope:eqversion:4.1.402.34662

Trust: 1.6

vendor:lenovomodel:storcenter ix4-300dscope:eqversion:4.1.402.34662

Trust: 1.6

vendor:lenovomodel:storcenter px12-450rscope:eqversion:4.1.402.34662

Trust: 1.6

vendor:lenovomodel:storcenter px4-300dscope:eqversion:4.1.402.34662

Trust: 1.6

vendor:lenovomodel:ez media \& backup centerscope:eqversion:4.1.402.34662

Trust: 1.6

vendor:lenovomodel:storcenter px6-300dscope:eqversion:4.1.402.34662

Trust: 1.6

vendor:lenovomodel:storcenter ix2scope:eqversion:4.1.402.34662

Trust: 1.6

vendor:lenovomodel:storcenter ix2-dlscope:eqversion:4.1.402.34662

Trust: 1.6

vendor:lenovomodel:ix4-300dscope:eqversion:4.1.402.34662

Trust: 1.0

vendor:lenovomodel:px12-450rscope:eqversion:4.1.402.34662

Trust: 1.0

vendor:lenovomodel:px4-400rscope:eqversion:4.1.402.34662

Trust: 1.0

vendor:lenovomodel:px4-300dscope:eqversion:4.1.402.34662

Trust: 1.0

vendor:lenovomodel:px12-400rscope:eqversion:4.1.402.34662

Trust: 1.0

vendor:lenovomodel:px4-400dscope:eqversion:4.1.402.34662

Trust: 1.0

vendor:lenovomodel:ix2scope:eqversion:4.1.402.34662

Trust: 1.0

vendor:lenovomodel:px6-300dscope:eqversion:4.1.402.34662

Trust: 1.0

vendor:lenovomodel:px2-300dscope:eqversion:4.1.402.34662

Trust: 1.0

vendor:lenovomodel:px4-300rscope:eqversion:4.1.402.34662

Trust: 1.0

vendor:lenovomodel:ez media & backup centerscope:lteversion:4.1.402.34662

Trust: 0.8

vendor:lenovomodel:storcenter ix2scope:lteversion:4.1.402.34662

Trust: 0.8

vendor:lenovomodel:storcenter ix2-dlscope:lteversion:4.1.402.34662

Trust: 0.8

vendor:lenovomodel:storcenter ix4-300dscope:lteversion:4.1.402.34662

Trust: 0.8

vendor:lenovomodel:storcenter px12-400rscope:lteversion:4.1.402.34662

Trust: 0.8

vendor:lenovomodel:storcenter px12-450rscope:lteversion:4.1.402.34662

Trust: 0.8

vendor:lenovomodel:storcenter px2-300dscope:lteversion:4.1.402.34662

Trust: 0.8

vendor:lenovomodel:storcenter px4-300dscope:lteversion:4.1.402.34662

Trust: 0.8

vendor:lenovomodel:storcenter px4-300rscope:lteversion:4.1.402.34662

Trust: 0.8

vendor:lenovomodel:storcenter px6-300dscope:lteversion:4.1.402.34662

Trust: 0.8

sources: JVNDB: JVNDB-2018-013140 // CNNVD: CNNVD-201809-1177 // NVD: CVE-2018-9078

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-9078
value: HIGH

Trust: 1.0

NVD: CVE-2018-9078
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201809-1177
value: HIGH

Trust: 0.6

VULHUB: VHN-139110
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-9078
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-139110
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-9078
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-139110 // JVNDB: JVNDB-2018-013140 // CNNVD: CNNVD-201809-1177 // NVD: CVE-2018-9078

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:CWE-254

Trust: 0.8

sources: VULHUB: VHN-139110 // JVNDB: JVNDB-2018-013140 // NVD: CVE-2018-9078

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-1177

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201809-1177

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-013140

PATCH
title:LEN-24224url:https://support.lenovo.com/us/en/solutions/LEN-24224
Trust: 0.8
title:Multiple Lenovo Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85211
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-013140 // 
            
            
            
            CNNVD: CNNVD-201809-1177

EXTERNAL IDS
db:NVDid:CVE-2018-9078
Trust: 2.5
db:LENOVOid:LEN-24224
Trust: 1.7
db:JVNDBid:JVNDB-2018-013140
Trust: 0.8
db:CNNVDid:CNNVD-201809-1177
Trust: 0.7
db:VULHUBid:VHN-139110
Trust: 0.1
sources:
            
            
            VULHUB: VHN-139110 // 
            
            
            
            JVNDB: JVNDB-2018-013140 // 
            
            
            
            CNNVD: CNNVD-201809-1177 // 
            
            
            
            NVD: CVE-2018-9078

REFERENCES
url:https://support.lenovo.com/us/en/solutions/len-24224
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-9078
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-9078
Trust: 0.8
sources:
            
            
            VULHUB: VHN-139110 // 
            
            
            
            JVNDB: JVNDB-2018-013140 // 
            
            
            
            CNNVD: CNNVD-201809-1177 // 
            
            
            
            NVD: CVE-2018-9078

SOURCES
db:VULHUBid:VHN-139110
db:JVNDBid:JVNDB-2018-013140
db:CNNVDid:CNNVD-201809-1177
db:NVDid:CVE-2018-9078

LAST UPDATE DATE
2024-11-23T22:00:17.173000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-139110date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2018-013140date:2019-02-15T00:00:00
db:CNNVDid:CNNVD-201809-1177date:2019-10-23T00:00:00
db:NVDid:CVE-2018-9078date:2024-11-21T04:14:55.757

SOURCES RELEASE DATE
db:VULHUBid:VHN-139110date:2018-09-28T00:00:00
db:JVNDBid:JVNDB-2018-013140date:2019-02-15T00:00:00
db:CNNVDid:CNNVD-201809-1177date:2018-09-27T00:00:00
db:NVDid:CVE-2018-9078date:2018-09-28T20:29:01.097