CVE-2019-6182

A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself.

Published : 2019-09-03 19:15 Updated : 2019-10-09 23:51

4.0
CVSS Score More info
Score 4.0 / 10
4.0
Vendor Product Version URI
Lenovo Xclarity Administrator 1.0.1 cpe:/a:lenovo:xclarity_administrator:1.0.1
Lenovo Xclarity Administrator 1.0.3 cpe:/a:lenovo:xclarity_administrator:1.0.3
Lenovo Xclarity Administrator 1.1.0 cpe:/a:lenovo:xclarity_administrator:1.1.0
Lenovo Xclarity Administrator 1.1.1 cpe:/a:lenovo:xclarity_administrator:1.1.1
Lenovo Xclarity Administrator 1.2.1 cpe:/a:lenovo:xclarity_administrator:1.2.1
Lenovo Xclarity Administrator 1.2.2 cpe:/a:lenovo:xclarity_administrator:1.2.2
Lenovo Xclarity Administrator 1.3.0 cpe:/a:lenovo:xclarity_administrator:1.3.0
Lenovo Xclarity Administrator 1.3.1 cpe:/a:lenovo:xclarity_administrator:1.3.1
Lenovo Xclarity Administrator 1.3.2 cpe:/a:lenovo:xclarity_administrator:1.3.2
Lenovo Xclarity Administrator 1.4.0 cpe:/a:lenovo:xclarity_administrator:1.4.0
Lenovo Xclarity Administrator 2.0.0 cpe:/a:lenovo:xclarity_administrator:2.0.0
Lenovo Xclarity Administrator 2.1.0 cpe:/a:lenovo:xclarity_administrator:2.1.0
  1. Lenovo (1) Search CVE
    1. Xclarity Administrator (12) Search CVE
      1. 1.0.1
      2. 1.0.3
      3. 1.1.0
      4. 1.1.1
      5. 1.2.1
      6. 1.2.2
      7. 1.3.0
      8. 1.3.1
      9. 1.3.2
      10. 1.4.0
      11. 2.0.0
      12. 2.1.0

CWE

ID Name Description Links
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. CVE

History of changes

Date Event
2019-09-06 13:48
2019-09-03 19:25

New CVE