SQL Injection Vulnerability in ThinkSystem Servers by Lenovo
CVE-2023-4608

4.1MEDIUM

Key Information:

Vendor: Lenovo
Status: Lenovo Xclarity Controller (xcc)
Vendor: CVE Published:; 25 October 2023

Summary

A blind SQL injection vulnerability exists in Lenovo ThinkSystem servers, affecting versions v2 and v3. This security flaw allows an authenticated XCC user with elevated privileges to execute a crafted API command resulting in unauthorized database access. It is crucial to mitigate this risk to protect sensitive data from potential exploitation.

Affected Version(s)

Lenovo XClarity Controller (XCC) various

References

https://support.lenovo.com/us/en/product_security/LEN-140960

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 25, 2023
Vulnerability Reserved
Aug 29, 2023