CVE-2018-9078
HIGHLenovo Iomega and LenovoEMC NAS <= 4.1.402.34662 - Stored Cross-Site Scripting via SVG Upload
Title source: llmDescription
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://support.lenovo.com/us/en/solutions/LEN-24224
Scores
CVSS v3
8.8
EPSS
0.0045
EPSS Percentile
63.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-79
Status
published
Products (20)
lenovo/ez_media_\&_backup_center_firmware
4.1.402.34662
lenovo/ix2_firmware
4.1.402.34662
lenovo/ix4-300d_firmware
4.1.402.34662
lenovo/px12-400r_firmware
4.1.402.34662
lenovo/px12-450r_firmware
4.1.402.34662
lenovo/px2-300d_firmware
4.1.402.34662
lenovo/px4-300d_firmware
4.1.402.34662
lenovo/px4-300r_firmware
4.1.402.34662
lenovo/px4-400d_firmware
4.1.402.34662
lenovo/px4-400r_firmware
4.1.402.34662
... and 10 more
Published
Sep 28, 2018
Tracked Since
Feb 18, 2026