CVE-2018-9078

EPSS 0.47%
Published 28.09.2018 20:29:01
Last modified 21.11.2024 04:14:55
Source psirt@lenovo.com
Teams watchlist Login
Open Login

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Lenovo ≫ Storcenter Px12-450r Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Px12-450r Version-

Lenovo ≫ Storcenter Px12-400r Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Px12-400r Version-

Lenovo ≫ Storcenter Px4-300r Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Px4-300r Version-

Lenovo ≫ Storcenter Px6-300d Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Px6-300d Version-

Lenovo ≫ Storcenter Px4-300d Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Px4-300d Version-

Lenovo ≫ Storcenter Px2-300d Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Px2-300d Version-

Lenovo ≫ Storcenter Ix4-300d Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Ix4-300d Version-

Lenovo ≫ Storcenter Ix2 Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Ix2 Version-

Lenovo ≫ Storcenter Ix2-dl Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Ix2-dl Version-

Lenovo ≫ Ez Media & Backup Center Firmware Version4.1.402.34662

Lenovo ≫ Ez Media & Backup Center Version-

Lenovo ≫ Px12-450r Firmware Version4.1.402.34662

Lenovo ≫ Px12-450r Version-

Lenovo ≫ Px12-400r Firmware Version4.1.402.34662

Lenovo ≫ Px12-400r Version-

Lenovo ≫ Px4-400r Firmware Version4.1.402.34662

Lenovo ≫ Px4-400r Version-

Lenovo ≫ Px4-300r Firmware Version4.1.402.34662

Lenovo ≫ Px4-300r Version-

Lenovo ≫ Px6-300d Firmware Version4.1.402.34662

Lenovo ≫ Px6-300d Version-

Lenovo ≫ Px4-400d Firmware Version4.1.402.34662

Lenovo ≫ Px4-400d Version-

Lenovo ≫ Px4-300d Firmware Version4.1.402.34662

Lenovo ≫ Px4-300d Version-

Lenovo ≫ Px2-300d Firmware Version4.1.402.34662

Lenovo ≫ Px2-300d Version-

Lenovo ≫ Ix4-300d Firmware Version4.1.402.34662

Lenovo ≫ Ix4-300d Version-

Lenovo ≫ Ix2 Firmware Version4.1.402.34662

Lenovo ≫ Ix2 Version-

Lenovo ≫ Ez Media & Backup Center Firmware Version4.1.402.34662

Lenovo ≫ Ez Media & Backup Center Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.47%	0.617

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://support.lenovo.com/us/en/solutions/LEN-24224

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-9078

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-9078

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-9078

EUVD