8.8
CVE-2018-9082
- EPSS 0.2%
- Veröffentlicht 28.09.2018 20:29:01
- Zuletzt bearbeitet 21.11.2024 04:14:56
- Quelle psirt@lenovo.com
- CVE-Watchlists
- Unerledigt
LoginIomega and LenovoEMC NAS Web UI Vulnerabilities
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens can change their password and retain access to the user's account
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Lenovo ≫ Storcenter Px12-450r Firmware Version4.1.402.34662
Lenovo ≫ Storcenter Px12-400r Firmware Version4.1.402.34662
Lenovo ≫ Storcenter Px4-300r Firmware Version4.1.402.34662
Lenovo ≫ Storcenter Px6-300d Firmware Version4.1.402.34662
Lenovo ≫ Storcenter Px4-300d Firmware Version4.1.402.34662
Lenovo ≫ Storcenter Px2-300d Firmware Version4.1.402.34662
Lenovo ≫ Storcenter Ix4-300d Firmware Version4.1.402.34662
Lenovo ≫ Storcenter Ix2 Firmware Version4.1.402.34662
Lenovo ≫ Storcenter Ix2-dl Firmware Version4.1.402.34662
Lenovo ≫ Ez Media & Backup Center Firmware Version4.1.402.34662
Lenovo ≫ Px12-450r Firmware Version4.1.402.34662
Lenovo ≫ Px12-400r Firmware Version4.1.402.34662
Lenovo ≫ Px4-400r Firmware Version4.1.402.34662
Lenovo ≫ Px4-300r Firmware Version4.1.402.34662
Lenovo ≫ Px6-300d Firmware Version4.1.402.34662
Lenovo ≫ Px4-400d Firmware Version4.1.402.34662
Lenovo ≫ Px4-300d Firmware Version4.1.402.34662
Lenovo ≫ Px2-300d Firmware Version4.1.402.34662
Lenovo ≫ Ix4-300d Firmware Version4.1.402.34662
Lenovo ≫ Ix2 Firmware Version4.1.402.34662
Lenovo ≫ Ez Media & Backup Center Firmware Version4.1.402.34662
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.417 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:N/I:P/A:N
|
CWE-384 Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.