CVE-2024-8280

HIGH

Lenovo XCC - Authenticated OS Command Injection via Crafted File

Title source: llm

Description

An input validation weakness was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection or cause a recoverable denial of service using a specially crafted file.

References (1)

Core 1

Core References

Various Sources

https://support.lenovo.com/us/en/product_security/LEN-172051

Scores

CVSS v3 7.2

EPSS 0.0041

EPSS Percentile 61.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (50)

Lenovo/HX Enclosure Certified Node (ThinkAgile) XCC < 6.36 TEI3F4A

Lenovo/HX1021 Edge Certified Node 3yr (ThinkAgile) XCC < 4.11 TEI3E4A

Lenovo/HX1320 Appliance (ThinkAgile) XCC < 9.97 CDI3B4B

Lenovo/HX1321 Certified Node (ThinkAgile) XCC < 9.97 CDI3B4B

Lenovo/HX1331 Certified Node (ThinkAgile) XCC < 4.71 AFBT48C

Lenovo/HX1520-R Appliance (ThinkAgile) XCC < 9.97 CDI3B4B

Lenovo/HX1521-R Certified Node (ThinkAgile) XCC < 9.97 CDI3B4B

Lenovo/HX2320-E Appliance (ThinkAgile) XCC < 9.97 CDI3B4B

Lenovo/HX2321 Certified Node (ThinkAgile) XCC < 9.97 CDI3B4B

Lenovo/HX2330 Appliance (ThinkAgile) XCC < 4.71 AFBT48C

... and 40 more

Published Sep 13, 2024

Tracked Since Feb 18, 2026