Stored CSV Injection Vulnerability in Lenovo XClarity Controller
CVE-2019-6187

6.5MEDIUM

Key Information:

Vendor: Lenovo
Status: Lenovo Xclarity Controller (xcc)
Vendor: CVE Published:; 19 November 2019

Summary

A vulnerability exists in Lenovo XClarity Controller that allows administrative users to store malformed data in specific server informational fields. This could lead to crafted formulas being included in exported CSV files. While the crafted formulas do not affect the XCC server directly, they can compromise the integrity of data when accessed through other applications. Users should be aware of potential security risks and take appropriate measures to validate and sanitize data inputs.

Affected Version(s)

Lenovo XClarity Controller (XCC) < unspecified

References

https://support.lenovo.com/solutions/LEN-29118

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 19, 2019
Vulnerability Reserved
Jan 11, 2019