Skip to main content

Thinkagile Hx5530 Firmware CVE-2023-4608

HIGH
SQL Injection (CWE-89)
2023-10-25 psirt@lenovo.com
SQLi Thinkagile Hx5530 Firmware Thinkagile Hx7530 Firmware Thinkagile Vx3331 Firmware Thinkagile Hx1331 Firmware Thinkagile Hx2330 Firmware Thinkagile Hx2331 Firmware Thinkagile Hx3330 Firmware Thinkagile Hx3331 Firmware Thinkagile Hx3375 Firmware Thinkagile Hx3376 Firmware Thinkagile Hx5531 Firmware Thinkagile Hx7531 Firmware Thinkagile Mx3330 F All Flash Firmware Thinkagile Mx3330 H Hybrid Firmware Thinkagile Mx3331 F All Flash Firmware Thinkagile Mx3331 H Hybrid Firmware Thinkagile Mx3530 F All Flash Firmware Thinkagile Mx3530 H Hybrid Firmware Thinkagile Mx3531 H Hybrid Firmware Thinkagile Mx3531 F All Flash Firmware Thinkagile Vx2330 Firmware Thinkagile Vx3330 Firmware Thinkagile Vx3530 G Firmware Thinkagile Vx5530 Firmware Thinkagile Vx7330 Firmware Thinkagile Vx7530 Firmware Thinkagile Vx7531 Firmware Thinksystem Sd630 V2 Firmware Thinksystem Sd650 V2 Firmware Thinksystem Sd650 V3 Firmware Thinksystem Sd650 N V2 Firmware Thinksystem Sd665 V3 Firmware Thinksystem Sn550 V2 Firmware Thinksystem Sr250 Firmware Thinksystem Sr258 V2 Firmware Thinksystem Sr630 V2 Firmware Thinksystem Sr630 V3 Firmware Thinksystem Sr635 V3 Firmware Thinksystem Sr645 Firmware Thinksystem Sr645 V3 Firmware Thinksystem Sr650 V2 Firmware Thinksystem Sr650 V3 Firmware Thinksystem Sr655 V3 Firmware Thinksystem Sr665 Firmware Thinksystem Sr665 V3 Firmware Thinksystem Sr670 Firmware Thinksystem Sr670 V2 Firmware Thinksystem Sr675 V3 Firmware Thinksystem Sr850 V2 Firmware Thinksystem Sr850 V3 Firmware Thinksystem Sr860 V2 Firmware Thinksystem Sr860 V3 Firmware Thinksystem St250 V2 Firmware Thinksystem St258 V2 Firmware Thinksystem St650 V2 Firmware Thinksystem St650 V3 Firmware Thinksystem St658 V2 Firmware Thinksystem St658 V3 Firmware
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 25, 2023 - 18:17 nvd
HIGH 7.2

DescriptionNVD

An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command.

This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.

AnalysisAI

An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected. Affected products include: Lenovo Thinkagile Hx5530 Firmware, Lenovo Thinkagile Hx7530 Firmware, Lenovo Thinkagile Vx3331 Firmware, Lenovo Thinkagile Hx1331 Firmware, Lenovo Thinkagile Hx2330 Firmware.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

Share

CVE-2023-4608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy