Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for px4-400r_firmware by lenovo

    CVE-2018-9082 (GCVE-0-2018-9082)

    Vulnerability from nvd – Published: 2018-09-28 20:00 – Updated: 2024-08-05 07:17
    VLAI
    Title
    Iomega and LenovoEMC NAS Web UI Vulnerabilities
    Summary
    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens can change their password and retain access to the user's account
    Severity
    No CVSS data available.
    CWE
    • Password change does not require existing password
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group LTD Iomega StorCenter Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD LenovoEMC Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD EZ Media and Backup Center Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Date Public
    2018-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.627Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Iomega StorCenter",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "LenovoEMC",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "EZ Media and Backup Center",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user\u0027s current password to set a new one. As a result, attackers with access to the user\u0027s session tokens can change their password and retain access to the user\u0027s account"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Password change does not require existing password",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-28T19:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
            }
          ],
          "source": {
            "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
            "discovery": "UNKNOWN"
          },
          "title": "Iomega and LenovoEMC NAS Web UI Vulnerabilities",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2018-9082",
              "STATE": "PUBLIC",
              "TITLE": "Iomega and LenovoEMC NAS Web UI Vulnerabilities"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Iomega StorCenter",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "LenovoEMC",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "EZ Media and Backup Center",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group LTD"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user\u0027s current password to set a new one. As a result, attackers with access to the user\u0027s session tokens can change their password and retain access to the user\u0027s account"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Password change does not require existing password"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-24224",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
                }
              ]
            },
            "source": {
              "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9082",
        "datePublished": "2018-09-28T20:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:17:50.627Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9081 (GCVE-0-2018-9081)

    Vulnerability from nvd – Published: 2018-09-28 20:00 – Updated: 2024-08-05 07:17
    VLAI
    Title
    Iomega and LenovoEMC NAS Web UI Vulnerabilities
    Summary
    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible from the Content Viewer with a cross site scripting payload in its name, and wait for a user to try and rename the file for their payload to trigger.
    Severity
    No CVSS data available.
    CWE
    • Cross-site scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group LTD Iomega StorCenter Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD LenovoEMC Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD EZ Media and Backup Center Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Date Public
    2018-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.658Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Iomega StorCenter",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "LenovoEMC",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "EZ Media and Backup Center",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible from the Content Viewer with a cross site scripting payload in its name, and wait for a user to try and rename the file for their payload to trigger."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-28T19:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
            }
          ],
          "source": {
            "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
            "discovery": "UNKNOWN"
          },
          "title": "Iomega and LenovoEMC NAS Web UI Vulnerabilities",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2018-9081",
              "STATE": "PUBLIC",
              "TITLE": "Iomega and LenovoEMC NAS Web UI Vulnerabilities"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Iomega StorCenter",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "LenovoEMC",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "EZ Media and Backup Center",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group LTD"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible from the Content Viewer with a cross site scripting payload in its name, and wait for a user to try and rename the file for their payload to trigger."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-24224",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
                }
              ]
            },
            "source": {
              "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9081",
        "datePublished": "2018-09-28T20:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:17:50.658Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9080 (GCVE-0-2018-9080)

    Vulnerability from nvd – Published: 2018-09-28 20:00 – Updated: 2024-08-05 07:17
    VLAI
    Title
    Iomega and LenovoEMC NAS Web UI Vulnerabilities
    Summary
    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, by setting the Iomega cookie to a known value before logging into the NAS's web application, the NAS will not provide the user a new cookie value. This allows an attacker who knows the cookie's value to compromise the user's session.
    Severity
    No CVSS data available.
    CWE
    • Session fixation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group LTD Iomega StorCenter Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD LenovoEMC Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD EZ Media and Backup Center Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Date Public
    2018-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.641Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Iomega StorCenter",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "LenovoEMC",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "EZ Media and Backup Center",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, by setting the Iomega cookie to a known value before logging into the NAS\u0027s web application, the NAS will not provide the user a new cookie value. This allows an attacker who knows the cookie\u0027s value to compromise the user\u0027s session."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Session fixation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-28T19:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
            }
          ],
          "source": {
            "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
            "discovery": "UNKNOWN"
          },
          "title": "Iomega and LenovoEMC NAS Web UI Vulnerabilities",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2018-9080",
              "STATE": "PUBLIC",
              "TITLE": "Iomega and LenovoEMC NAS Web UI Vulnerabilities"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Iomega StorCenter",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "LenovoEMC",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "EZ Media and Backup Center",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group LTD"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, by setting the Iomega cookie to a known value before logging into the NAS\u0027s web application, the NAS will not provide the user a new cookie value. This allows an attacker who knows the cookie\u0027s value to compromise the user\u0027s session."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Session fixation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-24224",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
                }
              ]
            },
            "source": {
              "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9080",
        "datePublished": "2018-09-28T20:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:17:50.641Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9079 (GCVE-0-2018-9079)

    Vulnerability from nvd – Published: 2018-09-28 20:00 – Updated: 2024-08-05 07:17
    VLAI
    Title
    Iomega and LenovoEMC NAS Web UI Vulnerabilities
    Summary
    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, adversaries can craft URLs to modify the Document Object Model (DOM) of the page. In addition, adversaries can inject HTML script tags and HTML tags with JavaScript handlers to execute arbitrary JavaScript with the origin of the device.
    Severity
    No CVSS data available.
    CWE
    • Arbitrary code execution
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group LTD Iomega StorCenter Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD LenovoEMC Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD EZ Media and Backup Center Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Date Public
    2018-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.623Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Iomega StorCenter",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "LenovoEMC",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "EZ Media and Backup Center",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, adversaries can craft URLs to modify the Document Object Model (DOM) of the page. In addition, adversaries can inject HTML script tags and HTML tags with JavaScript handlers to execute arbitrary JavaScript with the origin of the device."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Arbitrary code execution",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-28T19:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
            }
          ],
          "source": {
            "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
            "discovery": "UNKNOWN"
          },
          "title": "Iomega and LenovoEMC NAS Web UI Vulnerabilities",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2018-9079",
              "STATE": "PUBLIC",
              "TITLE": "Iomega and LenovoEMC NAS Web UI Vulnerabilities"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Iomega StorCenter",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "LenovoEMC",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "EZ Media and Backup Center",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group LTD"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, adversaries can craft URLs to modify the Document Object Model (DOM) of the page. In addition, adversaries can inject HTML script tags and HTML tags with JavaScript handlers to execute arbitrary JavaScript with the origin of the device."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Arbitrary code execution"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-24224",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
                }
              ]
            },
            "source": {
              "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9079",
        "datePublished": "2018-09-28T20:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:17:50.623Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9078 (GCVE-0-2018-9078)

    Vulnerability from nvd – Published: 2018-09-28 20:00 – Updated: 2024-08-05 07:17
    VLAI
    Title
    Iomega and LenovoEMC NAS Web UI Vulnerabilities
    Summary
    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file.
    Severity
    No CVSS data available.
    CWE
    • SVG
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group LTD Iomega StorCenter Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD LenovoEMC Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD EZ Media and Backup Center Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Date Public
    2018-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.689Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Iomega StorCenter",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "LenovoEMC",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "EZ Media and Backup Center",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device\u0027s origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "SVG",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-28T19:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
            }
          ],
          "source": {
            "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
            "discovery": "UNKNOWN"
          },
          "title": "Iomega and LenovoEMC NAS Web UI Vulnerabilities",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2018-9078",
              "STATE": "PUBLIC",
              "TITLE": "Iomega and LenovoEMC NAS Web UI Vulnerabilities"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Iomega StorCenter",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "LenovoEMC",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "EZ Media and Backup Center",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group LTD"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device\u0027s origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "SVG"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-24224",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
                }
              ]
            },
            "source": {
              "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9078",
        "datePublished": "2018-09-28T20:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:17:50.689Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9079 (GCVE-0-2018-9079)

    Vulnerability from cvelistv5 – Published: 2018-09-28 20:00 – Updated: 2024-08-05 07:17
    VLAI
    Title
    Iomega and LenovoEMC NAS Web UI Vulnerabilities
    Summary
    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, adversaries can craft URLs to modify the Document Object Model (DOM) of the page. In addition, adversaries can inject HTML script tags and HTML tags with JavaScript handlers to execute arbitrary JavaScript with the origin of the device.
    Severity
    No CVSS data available.
    CWE
    • Arbitrary code execution
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group LTD Iomega StorCenter Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD LenovoEMC Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD EZ Media and Backup Center Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Date Public
    2018-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.623Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Iomega StorCenter",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "LenovoEMC",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "EZ Media and Backup Center",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, adversaries can craft URLs to modify the Document Object Model (DOM) of the page. In addition, adversaries can inject HTML script tags and HTML tags with JavaScript handlers to execute arbitrary JavaScript with the origin of the device."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Arbitrary code execution",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-28T19:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
            }
          ],
          "source": {
            "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
            "discovery": "UNKNOWN"
          },
          "title": "Iomega and LenovoEMC NAS Web UI Vulnerabilities",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2018-9079",
              "STATE": "PUBLIC",
              "TITLE": "Iomega and LenovoEMC NAS Web UI Vulnerabilities"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Iomega StorCenter",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "LenovoEMC",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "EZ Media and Backup Center",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group LTD"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, adversaries can craft URLs to modify the Document Object Model (DOM) of the page. In addition, adversaries can inject HTML script tags and HTML tags with JavaScript handlers to execute arbitrary JavaScript with the origin of the device."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Arbitrary code execution"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-24224",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
                }
              ]
            },
            "source": {
              "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9079",
        "datePublished": "2018-09-28T20:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:17:50.623Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9078 (GCVE-0-2018-9078)

    Vulnerability from cvelistv5 – Published: 2018-09-28 20:00 – Updated: 2024-08-05 07:17
    VLAI
    Title
    Iomega and LenovoEMC NAS Web UI Vulnerabilities
    Summary
    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file.
    Severity
    No CVSS data available.
    CWE
    • SVG
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group LTD Iomega StorCenter Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD LenovoEMC Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD EZ Media and Backup Center Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Date Public
    2018-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.689Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Iomega StorCenter",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "LenovoEMC",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "EZ Media and Backup Center",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device\u0027s origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "SVG",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-28T19:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
            }
          ],
          "source": {
            "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
            "discovery": "UNKNOWN"
          },
          "title": "Iomega and LenovoEMC NAS Web UI Vulnerabilities",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2018-9078",
              "STATE": "PUBLIC",
              "TITLE": "Iomega and LenovoEMC NAS Web UI Vulnerabilities"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Iomega StorCenter",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "LenovoEMC",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "EZ Media and Backup Center",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group LTD"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device\u0027s origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "SVG"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-24224",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
                }
              ]
            },
            "source": {
              "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9078",
        "datePublished": "2018-09-28T20:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:17:50.689Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9080 (GCVE-0-2018-9080)

    Vulnerability from cvelistv5 – Published: 2018-09-28 20:00 – Updated: 2024-08-05 07:17
    VLAI
    Title
    Iomega and LenovoEMC NAS Web UI Vulnerabilities
    Summary
    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, by setting the Iomega cookie to a known value before logging into the NAS's web application, the NAS will not provide the user a new cookie value. This allows an attacker who knows the cookie's value to compromise the user's session.
    Severity
    No CVSS data available.
    CWE
    • Session fixation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group LTD Iomega StorCenter Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD LenovoEMC Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD EZ Media and Backup Center Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Date Public
    2018-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.641Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Iomega StorCenter",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "LenovoEMC",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "EZ Media and Backup Center",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, by setting the Iomega cookie to a known value before logging into the NAS\u0027s web application, the NAS will not provide the user a new cookie value. This allows an attacker who knows the cookie\u0027s value to compromise the user\u0027s session."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Session fixation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-28T19:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
            }
          ],
          "source": {
            "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
            "discovery": "UNKNOWN"
          },
          "title": "Iomega and LenovoEMC NAS Web UI Vulnerabilities",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2018-9080",
              "STATE": "PUBLIC",
              "TITLE": "Iomega and LenovoEMC NAS Web UI Vulnerabilities"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Iomega StorCenter",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "LenovoEMC",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "EZ Media and Backup Center",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group LTD"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, by setting the Iomega cookie to a known value before logging into the NAS\u0027s web application, the NAS will not provide the user a new cookie value. This allows an attacker who knows the cookie\u0027s value to compromise the user\u0027s session."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Session fixation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-24224",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
                }
              ]
            },
            "source": {
              "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9080",
        "datePublished": "2018-09-28T20:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:17:50.641Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9081 (GCVE-0-2018-9081)

    Vulnerability from cvelistv5 – Published: 2018-09-28 20:00 – Updated: 2024-08-05 07:17
    VLAI
    Title
    Iomega and LenovoEMC NAS Web UI Vulnerabilities
    Summary
    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible from the Content Viewer with a cross site scripting payload in its name, and wait for a user to try and rename the file for their payload to trigger.
    Severity
    No CVSS data available.
    CWE
    • Cross-site scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group LTD Iomega StorCenter Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD LenovoEMC Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD EZ Media and Backup Center Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Date Public
    2018-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.658Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Iomega StorCenter",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "LenovoEMC",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "EZ Media and Backup Center",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible from the Content Viewer with a cross site scripting payload in its name, and wait for a user to try and rename the file for their payload to trigger."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-28T19:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
            }
          ],
          "source": {
            "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
            "discovery": "UNKNOWN"
          },
          "title": "Iomega and LenovoEMC NAS Web UI Vulnerabilities",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2018-9081",
              "STATE": "PUBLIC",
              "TITLE": "Iomega and LenovoEMC NAS Web UI Vulnerabilities"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Iomega StorCenter",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "LenovoEMC",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "EZ Media and Backup Center",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group LTD"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible from the Content Viewer with a cross site scripting payload in its name, and wait for a user to try and rename the file for their payload to trigger."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-24224",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
                }
              ]
            },
            "source": {
              "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9081",
        "datePublished": "2018-09-28T20:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:17:50.658Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9082 (GCVE-0-2018-9082)

    Vulnerability from cvelistv5 – Published: 2018-09-28 20:00 – Updated: 2024-08-05 07:17
    VLAI
    Title
    Iomega and LenovoEMC NAS Web UI Vulnerabilities
    Summary
    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens can change their password and retain access to the user's account
    Severity
    No CVSS data available.
    CWE
    • Password change does not require existing password
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group LTD Iomega StorCenter Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD LenovoEMC Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Lenovo Group LTD EZ Media and Backup Center Affected: 4.1.402.34662 , ≤ 4.1.402.34662 (custom)
    Create a notification for this product.
    Date Public
    2018-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.627Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Iomega StorCenter",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "LenovoEMC",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "EZ Media and Backup Center",
              "vendor": "Lenovo Group LTD",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.402.34662",
                  "status": "affected",
                  "version": "4.1.402.34662",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user\u0027s current password to set a new one. As a result, attackers with access to the user\u0027s session tokens can change their password and retain access to the user\u0027s account"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Password change does not require existing password",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-28T19:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
            }
          ],
          "source": {
            "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
            "discovery": "UNKNOWN"
          },
          "title": "Iomega and LenovoEMC NAS Web UI Vulnerabilities",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2018-9082",
              "STATE": "PUBLIC",
              "TITLE": "Iomega and LenovoEMC NAS Web UI Vulnerabilities"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Iomega StorCenter",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "LenovoEMC",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "EZ Media and Backup Center",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "4.1.402.34662",
                                "version_value": "4.1.402.34662"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group LTD"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user\u0027s current password to set a new one. As a result, attackers with access to the user\u0027s session tokens can change their password and retain access to the user\u0027s account"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Password change does not require existing password"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-24224",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-24224"
                }
              ]
            },
            "source": {
              "advisory": "https://support.lenovo.com/us/en/solutions/LEN-24224",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9082",
        "datePublished": "2018-09-28T20:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:17:50.627Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }