CVE-2023-25495

MEDIUM

Lenovo ThinkAgile Firmware - Authenticated LDAP Password Exposure via Web Interface API

Title source: llm

Description

A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password is configured

References (1)

Core 1

Core References

Vendor Advisory

https://support.lenovo.com/us/en/product_security/LEN-99936

Scores

CVSS v3 4.9

EPSS 0.0028

EPSS Percentile 51.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-522

Status published

Products (50)

lenovo/thinkagile_hx1021_firmware < 3.72_tei388s

lenovo/thinkagile_hx1320_firmware < 8.88_cdi3a4a

lenovo/thinkagile_hx1321_firmware < 8.88_cdi3a4a

lenovo/thinkagile_hx1331_firmware < 2.93_afbt30p

lenovo/thinkagile_hx1520-r_firmware < 8.88_cdi3a4a

lenovo/thinkagile_hx1521-r_firmware < 8.88_cdi3a4a

lenovo/thinkagile_hx2320-e_firmware < 8.88_cdi3a4a

lenovo/thinkagile_hx2321_firmware < 8.88_cdi3a4a

lenovo/thinkagile_hx2330_firmware 2.93_afbt30p

lenovo/thinkagile_hx2330_firmware < 2.93_afbt30p

... and 40 more

Published Apr 28, 2023

Tracked Since Feb 18, 2026