CVE-2023-25495

MEDIUM

Lenovo Thinkagile Hx5530 Firmware - Insufficiently Protected Creden...

Title source: rule

Description

A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password is configured

References (1)

[Vendor Advisory] https://support.lenovo.com/us/en/product_security/LEN-99936

Scores

CVSS v3 4.9

EPSS 0.0014

EPSS Percentile 34.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (50)

lenovo/thinkagile_hx5530_firmware < 2.93_afbt30p

lenovo/thinkagile_hx7530_firmware < 2.93_afbt30p

lenovo/thinkagile_vx3331_firmware < 2.93_afbt30p

lenovo/thinkagile_hx_enclosure_firmware < 3.72_tei388s

lenovo/thinkagile_hx1021_firmware < 3.72_tei388s

lenovo/thinkagile_hx1320_firmware < 8.88_cdi3a4a

lenovo/thinkagile_hx1321_firmware < 8.88_cdi3a4a

lenovo/thinkagile_hx1331_firmware < 2.93_afbt30p

lenovo/thinkagile_hx1520-r_firmware < 8.88_cdi3a4a

lenovo/thinkagile_hx1521-r_firmware < 8.88_cdi3a4a

lenovo/thinkagile_hx2320-e_firmware < 8.88_cdi3a4a

lenovo/thinkagile_hx2321_firmware < 8.88_cdi3a4a

lenovo/thinkagile_hx2330_firmware < 2.93_afbt30p

lenovo/thinkagile_hx2330_firmware

lenovo/thinkagile_hx2331_firmware < 2.93_afbt30p

... and 35 more

Timeline

Published Apr 28, 2023

Tracked Since Feb 18, 2026