#VU15055 Unrestricted upload of file with dangerous type in LenovoEMC NAS Firmware - CVE-2018-9078

Cybersecurity Help s.r.o.

Published: 2018-09-30

Vulnerability identifier: #VU15055

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-9078

CWE-ID: CWE-434

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
LenovoEMC NAS Firmware
Hardware solutions / Firmware

Vendor: Lenovo

Description

The vulnerability allows a remote attacker to upload dangerous files.

The vulnerability exists due to the web interface allows uploading of SVG files. A remote authenticated attacker can upload a malicious SVG file, trick the victim into opening it in the browser and execute arbitrary JavaScript code in the context of vulnerable application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

LenovoEMC NAS Firmware: 4.1.402.34662

External links
https://support.lenovo.com/us/en/solutions/LEN-24224

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in LenovoEMC NAS Web GUI