CVE-2018-9082 Information

Description

For some Iomega Lenovo LenovoEMC NAS devices versions 4.1.402.34662 and earlier the password changing functionality available to authenticated users does not require the user’s current password to set a new one. As a result attackers with access to the user’s session tokens can change their password and retain access to the user’s account

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://support.lenovo.com/us/en/solutions/LEN-24224

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8