Description
An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M. This vulnerability allows session IDs to be reused, which could provide unauthorized access to the BMC under certain circumstances. This vulnerability does not affect ThinkSystem XCC, System x IMM2, or other BMCs.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://support.lenovo.com/solutions/LEN-26957
Scores
CVSS v3
7.5
EPSS
0.0033
EPSS Percentile
56.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-384
Status
published
Products (1)
lenovo/cp_storage_block_firmware
< 1908.m
Published
Sep 26, 2019
Tracked Since
Feb 18, 2026