Authenticated Password Manipulation in ThinkSystem Servers by Lenovo
CVE-2023-4606
8.1HIGH
Key Information:
- Vendor
Lenovo
- Vendor
- CVE Published:
- 25 October 2023
What is CVE-2023-4606?
An authentication vulnerability exists in Lenovo ThinkSystem servers, where an authenticated XCC user with Read-Only permissions can exploit a crafted API command to change another user's password. This issue affects ThinkSystem v2 and v3 servers equipped with XCC, while ThinkSystem v1 servers remain unaffected. Users are advised to implement necessary security measures to mitigate risks associated with unauthorized password changes.
Affected Version(s)
Lenovo XClarity Controller (XCC) various