CVE-2018-9082

EPSS 0.21%
Published 28.09.2018 20:29:01
Last modified 21.11.2024 04:14:56
Source psirt@lenovo.com
Teams watchlist Login
Open Login

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens can change their password and retain access to the user's account

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Lenovo ≫ Storcenter Px12-450r Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Px12-450r Version-

Lenovo ≫ Storcenter Px12-400r Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Px12-400r Version-

Lenovo ≫ Storcenter Px4-300r Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Px4-300r Version-

Lenovo ≫ Storcenter Px6-300d Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Px6-300d Version-

Lenovo ≫ Storcenter Px4-300d Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Px4-300d Version-

Lenovo ≫ Storcenter Px2-300d Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Px2-300d Version-

Lenovo ≫ Storcenter Ix4-300d Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Ix4-300d Version-

Lenovo ≫ Storcenter Ix2 Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Ix2 Version-

Lenovo ≫ Storcenter Ix2-dl Firmware Version4.1.402.34662

Lenovo ≫ Storcenter Ix2-dl Version-

Lenovo ≫ Ez Media & Backup Center Firmware Version4.1.402.34662

Lenovo ≫ Ez Media & Backup Center Version-

Lenovo ≫ Px12-450r Firmware Version4.1.402.34662

Lenovo ≫ Px12-450r Version-

Lenovo ≫ Px12-400r Firmware Version4.1.402.34662

Lenovo ≫ Px12-400r Version-

Lenovo ≫ Px4-400r Firmware Version4.1.402.34662

Lenovo ≫ Px4-400r Version-

Lenovo ≫ Px4-300r Firmware Version4.1.402.34662

Lenovo ≫ Px4-300r Version-

Lenovo ≫ Px6-300d Firmware Version4.1.402.34662

Lenovo ≫ Px6-300d Version-

Lenovo ≫ Px4-400d Firmware Version4.1.402.34662

Lenovo ≫ Px4-400d Version-

Lenovo ≫ Px4-300d Firmware Version4.1.402.34662

Lenovo ≫ Px4-300d Version-

Lenovo ≫ Px2-300d Firmware Version4.1.402.34662

Lenovo ≫ Px2-300d Version-

Lenovo ≫ Ix4-300d Firmware Version4.1.402.34662

Lenovo ≫ Ix4-300d Version-

Lenovo ≫ Ix2 Firmware Version4.1.402.34662

Lenovo ≫ Ix2 Version-

Lenovo ≫ Ez Media & Backup Center Firmware Version4.1.402.34662

Lenovo ≫ Ez Media & Backup Center Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.21%	0.404

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:P/A:N

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://support.lenovo.com/us/en/solutions/LEN-24224

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-9082

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-9082

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-9082

EUVD