First published: Fri Sep 28 2018(Updated: )
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file.
Credit: psirt@lenovo.com
Affected Software | Affected Version | How to fix |
---|---|---|
Lenovo Storcenter Px12-450r Firmware | =4.1.402.34662 | |
Lenovo Storcenter Px12-450r | ||
Lenovo Storcenter Px12-400r Firmware | =4.1.402.34662 | |
Lenovo Storcenter Px12-400r | ||
Lenovo Storcenter Px4-300r Firmware | =4.1.402.34662 | |
Lenovo Storcenter Px4-300r | ||
Lenovo Storcenter Px6-300d Firmware | =4.1.402.34662 | |
Lenovo Storcenter Px6-300d | ||
Lenovo Storcenter Px4-300d Firmware | =4.1.402.34662 | |
Lenovo Storcenter Px4-300d | ||
Lenovo Storcenter Px2-300d Firmware | =4.1.402.34662 | |
Lenovo Storcenter Px2-300d | ||
Lenovo Storcenter Ix4-300d Firmware | =4.1.402.34662 | |
Lenovo Storcenter Ix4-300d | ||
Lenovo Storcenter Ix2 Firmware | =4.1.402.34662 | |
Lenovo Storcenter Ix2 | ||
Lenovo Storcenter Ix2-dl Firmware | =4.1.402.34662 | |
Lenovo Storcenter Ix2-dl | ||
Lenovo Ez Media \& Backup Center Firmware | =4.1.402.34662 | |
Lenovo Ez Media \& Backup Center | ||
Lenovo Px12-450r Firmware | =4.1.402.34662 | |
Lenovo Px12-450r | ||
Lenovo Px12-400r Firmware | =4.1.402.34662 | |
Lenovo Px12-400r | ||
Lenovo Px4-400r Firmware | =4.1.402.34662 | |
Lenovo Px4-400r | ||
Lenovo Px4-300r Firmware | =4.1.402.34662 | |
Lenovo Px4-300r | ||
Lenovo Px6-300d Firmware | =4.1.402.34662 | |
Lenovo Px6-300d | ||
Lenovo Px4-400d Firmware | =4.1.402.34662 | |
Lenovo Px4-400d | ||
Lenovo Px4-300d Firmware | =4.1.402.34662 | |
Lenovo Px4-300d | ||
Lenovo Px2-300d Firmware | =4.1.402.34662 | |
Lenovo Px2-300d | ||
Lenovo Ix4-300d Firmware | =4.1.402.34662 | |
Lenovo Ix4-300d | ||
Lenovo Ix2 Firmware | =4.1.402.34662 | |
Lenovo Ix2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.