1. Home
  2. CVE Database
  3. CVE-2018-9078
HIGH · 8.8

CVE-2018-9078

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in th...

Vulnerability Description

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
LenovoStorcenter Px12-450R Firmware4.1.402.34662
LenovoStorcenter Px12-450R-
LenovoStorcenter Px12-400R Firmware4.1.402.34662
LenovoStorcenter Px12-400R-
LenovoStorcenter Px4-300R Firmware4.1.402.34662
LenovoStorcenter Px4-300R-
LenovoStorcenter Px6-300D Firmware4.1.402.34662
LenovoStorcenter Px6-300D-
LenovoStorcenter Px4-300D Firmware4.1.402.34662
LenovoStorcenter Px4-300D-
LenovoStorcenter Px2-300D Firmware4.1.402.34662
LenovoStorcenter Px2-300D-
LenovoStorcenter Ix4-300D Firmware4.1.402.34662
LenovoStorcenter Ix4-300D-
LenovoStorcenter Ix2 Firmware4.1.402.34662
LenovoStorcenter Ix2-
LenovoStorcenter Ix2-Dl Firmware4.1.402.34662
LenovoStorcenter Ix2-Dl-
LenovoEz Media \& Backup Center Firmware4.1.402.34662
LenovoEz Media \& Backup Center-

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2018-9078?

CVE-2018-9078 is a vulnerability with a CVSS score of 8.8 (HIGH). For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in th...

How severe is CVE-2018-9078?

CVE-2018-9078 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-9078?

Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Storcenter Px12-450R Firmware, Lenovo Storcenter Px12-450R, Lenovo Storcenter Px12-400R Firmware, Lenovo Storcenter Px12-400R, Lenovo Storcenter Px4-300R Firmware.