Lenova LXCA and LXCI Multiple Vulnerabilities

Summary

LXCA and LXCI suffers from Multiple Vilnerabilities.

Credit:

The information has been provided by Vendor

The original article can be found at:

https://support.lenovo.com/in/en/solutions/len-27805

 


Details

Vulnerabilities reported in Lenovo XClarity Administrator (LXCA) and Lenovo XClarity Integrator (LXCI) could allow information disclosure or code execution.

An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) and Lenovo XClarity Integrator (LXCI) that could allow information disclosure.

A stored cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) that could allow an administrative user to cause JavaScript code to be stored in LXCA which may then be executed in the user’s web browser. The JavaScript code is not executed on LXCA itself.

A reflected cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) that could allow a crafted URL, if visited, to cause JavaScript code to be executed in the user’s web browser. The JavaScript code is not executed on LXCA itself.

A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself.

Vulnerable Systems:

LXCA installation to version 2.5.0 or later.

LXCI for Microsoft System Center to version 7.7.0 or later.

LXCI for VMware vCenter to version 6.1.0 or later.

CVE Information:

CVE-2019-6180

CVE-2019-6179

CVE-2019-6181

CVE-2019-6182

Disclosure Timeline:
Published Date:09/10/2019