6.5

CVE-2019-6187

A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server.

Data is provided by the National Vulnerability Database (NVD)
LenovoXclarity Controller Version < tei392m
   LenovoThinkagile 7x82 Version-
   LenovoThinkagile 7y11 Version-
   LenovoThinkagile 7y12 Version-
   LenovoThinkagile 7y88 Version-
   LenovoThinkagile 7y92 Version-
   LenovoThinkagile 7z03 Version-
   LenovoThinksystem Sd530 Version-
   LenovoThinksystem Sd650 Version-
   LenovoThinksystem Sn550 Version-
   LenovoThinksystem Sn850 Version-
   LenovoThinksystem Sr150 Version-
   LenovoThinksystem Sr158 Version-
   LenovoThinksystem Sr250 Version-
   LenovoThinksystem Sr258 Version-
   LenovoThinksystem Sr850 Version-
   LenovoThinksystem Sr860 Version-
   LenovoThinksystem St250 Version-
   LenovoThinksystem St258 Version-
LenovoXclarity Controller Version < cdi340m
   LenovoThinkagile 7d1h Version-
   LenovoThinkagile 7x83 Version-
   LenovoThinkagile 7y13 Version-
   LenovoThinkagile 7y14 Version-
   LenovoThinkagile 7y90 Version-
   LenovoThinkagile 7y93 Version-
   LenovoThinkagile 7y94 Version-
   LenovoThinkagile 7z04 Version-
   LenovoThinkagile 7z05 Version-
   LenovoThinkagile 7z06 Version-
   LenovoThinkagile 7z07 Version-
   LenovoThinkagile 7z20 Version-
   LenovoThinkagile Yx84 Version-
   LenovoThinksystem Sr530 Version-
   LenovoThinksystem Sr550 Version-
   LenovoThinksystem Sr570 Version-
   LenovoThinksystem Sr590 Version-
   LenovoThinksystem Sr630 Version-
   LenovoThinksystem Sr650 Version-
   LenovoThinksystem St550 Version-
   LenovoThinksystem St558 Version-
LenovoXclarity Controller Version < g1i312
   Lenovo Thinksystem Sr670 Version-
LenovoXclarity Controller Version < psi328m
   LenovoThinksystem Sr950 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.51% 0.637
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
CWE-1236 Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.