CVE-2018-9079
high-risk
Published 2018-09-28
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, adversaries can craft URLs to modify the Document Object Model (DOM) of the page. In addition, adversaries can inject HTML script tags and HTML tags with JavaScript handlers to execute arbitrary JavaScript with the origin of the device.
Do I need to act?
-
0.54% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
Storcenter Px12-450R Firmware
Storcenter Px12-400R Firmware
Storcenter Px4-300R Firmware
Storcenter Px6-300D Firmware
Storcenter Px4-300D Firmware
Storcenter Px2-300D Firmware
Storcenter Ix4-300D Firmware
Storcenter Ix2 Firmware
Storcenter Ix2-Dl Firmware
Ez Media \& Backup Center Firmware
Px12-450R Firmware
Px12-400R Firmware
Px4-400R Firmware
Px4-300R Firmware
Px6-300D Firmware
Px4-400D Firmware
Px4-300D Firmware
Px2-300D Firmware
Ix4-300D Firmware
Ix2 Firmware
Affected Vendors
References (2)
Vendor Advisory
https://support.lenovo.com/us/en/solutions/LEN-24224
Vendor Advisory
https://support.lenovo.com/us/en/solutions/LEN-24224
54
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
2/34 · Minimal
Exposure
20/34 · Moderate