Stored CSV Injection in Lenovo XClarity Administrator
CVE-2019-6182

4.8MEDIUM

Key Information:

Vendor: Lenovo
Status: Xclarity Administrator (lxca)
Vendor: CVE Published:; 3 September 2019

Summary

A stored CSV Injection vulnerability exists in Lenovo XClarity Administrator which affects versions prior to 2.5.0. This issue allows administrative users to inject malformed data into LXCA Jobs and Event Log data. Consequently, this may lead to the creation of crafted formulas that are stored within exported CSV files. It is important to note that these crafted formulas do not execute on the LXCA platform itself, posing a risk mainly upon exporting the data.

Affected Version(s)

XClarity Administrator (LXCA) < 2.5.0

References

https://support.lenovo.com/solutions/LEN-27805

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 3, 2019
Vulnerability Reserved
Jan 11, 2019