github - ghsa-hvmh-jgw7-f7xg

ghsa-hvmh-jgw7-f7xg

Vulnerability from github

Published

2022-05-24 17:01

Modified

2022-05-24 17:01

Details

A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server.

Show details on source website

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-6187"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-20T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server.",
  "id": "GHSA-hvmh-jgw7-f7xg",
  "modified": "2022-05-24T17:01:38Z",
  "published": "2022-05-24T17:01:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6187"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/solutions/LEN-29118"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2019-6187 (GCVE-0-2019-6187)

Vulnerability from cvelistv5

Published

2019-11-20 01:31

Modified

2024-09-17 00:50

Severity ?

CWE

arbitrary eode execution

Summary

A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server.

References

►

URL

Tags

https://support.lenovo.com/solutions/LEN-29118

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Lenovo	Lenovo XClarity Controller (XCC)	Version: unspecified < TEI392M Version: unspecified < CDI340M Version: unspecified < G1I312 Version: unspecified < PSI328M

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T20:16:24.496Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://support.lenovo.com/solutions/LEN-29118"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Lenovo XClarity Controller (XCC)",
          "vendor": "Lenovo",
          "versions": [
            {
              "lessThan": "TEI392M",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "CDI340M",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "G1I312",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "PSI328M",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2019-11-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "arbitrary eode execution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-11-20T01:31:13",
        "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "shortName": "lenovo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://support.lenovo.com/solutions/LEN-29118"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update LXCC to the version indicated for your product."
        }
      ],
      "source": {
        "advisory": "LEN-29118",
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.0.8"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@lenovo.com",
          "DATE_PUBLIC": "2019-11-19T17:00:00.000Z",
          "ID": "CVE-2019-6187",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Lenovo XClarity Controller (XCC)",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_value": "TEI392M"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "CDI340M"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "G1I312"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "PSI328M"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Lenovo"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file. The crafted formula is not executed on XCC itself and has no effect on the server."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.8"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "arbitrary eode execution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.lenovo.com/solutions/LEN-29118",
              "refsource": "MISC",
              "url": "https://support.lenovo.com/solutions/LEN-29118"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update LXCC to the version indicated for your product."
          }
        ],
        "source": {
          "advisory": "LEN-29118",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
    "assignerShortName": "lenovo",
    "cveId": "CVE-2019-6187",
    "datePublished": "2019-11-20T01:31:13.802773Z",
    "dateReserved": "2019-01-11T00:00:00",
    "dateUpdated": "2024-09-17T00:50:51.427Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.