Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-3897: Authentication Bypass Vulnerabilities in FPC2 and SMM Firmware - Lenovo Support DE

An authentication bypass vulnerability was discovered in an internal service of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware during an that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.

CVE
#vulnerability

About Lenovo

  • Our Company
  • News
  • Investor Relations
  • Sustainability
  • Product Compliance
  • Product Security
  • Lenovo Open Source
  • Legal Information
  • Jobs at Lenovo

Shop

  • Laptops & Ultrabooks
  • Tablets
  • Desktops & All-in-Ones
  • Workstations
  • Accessories & Software
  • Servers
  • Storage
  • Networking
  • Laptop Deals
  • Outlet

Support

  • Drivers & Software
  • How To’s
  • Warranty Lookup
  • Parts Lookup
  • Contact Us
  • Repair Status Check
  • Imaging & Security Resources

Resources

  • Where to Buy
  • Shopping Help
  • Sales Order Status
  • Product Specifications (PSREF)
  • Forums
  • Registration
  • Product Accessibility
  • Environmental Information
  • Gaming Community
  • LenovoEDU Community
  • LenovoPRO Community

© Lenovo.
| | |

Related news

Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability

Atlassian has published a security advisory warning of a critical vulnerability in its Jira software that could be abused by a remote, unauthenticated attacker to circumvent authentication protections. Tracked as CVE-2022-0540, the flaw is rated 9.9 out of 10 on the CVSS scoring system and resides in Jira's authentication framework, Jira Seraph. Khoadha of Viettel Cyber Security has been

Amazon's Hotpatch for Log4j Flaw Found Vulnerable to Privilege Escalation Bug

The "hotpatch" released by Amazon Web Services (AWS) in response to the Log4Shell vulnerabilities could be leveraged for container escape and privilege escalation, allowing an attacker to seize control of the underlying host. "Aside from containers, unprivileged processes can also exploit the patch to escalate privileges and gain root code execution," Palo Alto Networks Unit 42 researcher Yuval

CVE-2021-4212: Multi-vendor BIOS Security Vulnerabilities (February 2022) - Lenovo Support DE

A potential vulnerability in the SMI callback function used in the Legacy BIOS mode driver in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.

CVE-2021-3898: Motorola Android App Vulnerabilities - Lenovo Support DE

Versions of Motorola Ready For and Motorola Device Help Android applications prior to 2021-04-08 do not properly verify the server certificate which could lead to the communication channel being accessible by an attacker.

CVE-2022-0636: Lenovo Thin Installer Denial of Service Vulnerability - Lenovo Support DE

A denial of service vulnerability was reported in Lenovo Thin Installer prior to version 1.3.0039 that could trigger a system crash.

CVE-2022-0354: Lenovo System Update Privilege Escalation Vulnerability - Lenovo Support DE

A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ability to execute code with elevated privileges only during the installation of a System Update package released before 2022-02-25 that displays a command prompt window.

CVE-2021-3972: Lenovo Notebook BIOS Vulnerabilities - Lenovo Support DE

A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

CVE-2022-1108: ThinkPad BIOS Vulnerabilities - Lenovo Support DE

A potential vulnerability due to improper buffer validation in the SMI handler LenovoFlashDeviceInterface in Thinkpad X1 Fold Gen 1 could be exploited by an attacker with local access and elevated privileges to execute arbitrary code.

CVE-2021-38946: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 211240.

CVE-2021-38904: IBM Cognos Analytics information disclosure CVE-2021-38904 Vulnerability Report

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings. IBM X-Force ID: 209693.

CVE-2021-38905: IBM Cognos Analytics information disclosure CVE-2021-38905 Vulnerability Report

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 could allow an authenticated user to view report pages that they should not have access to. IBM X-Force ID: 209697.

CVE-2021-38886: IBM Cognos Analytics cross-site request forgery CVE-2021-38886 Vulnerability Report

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 209399.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907