CVE-2019-19758 - OpenCVE

A vulnerability in the web interface of Lenovo EZ Media & Backup Center, ix2 & ix2-dl version 4.1.406.34763 and prior could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Lenovo	Ez Media \& Backup Center Ix2 Firmware Ez Media \& Backup Center Ix2-dl Ez Media \& Backup Center Ix2 Ez Media \& Backup Center Ix2-dl Firmware

Configuration 1 [-]

AND

cpe:2.3:o:lenovo:ez_media_\&_backup_center_ix2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:ez_media_\&_backup_center_ix2:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:lenovo:ez_media_\&_backup_center_ix2-dl_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:ez_media_\&_backup_center_ix2-dl:-:*:*:*:*:*:*:*

References

Link	Resource
https://support.lenovo.com/us/en/product_security/LEN-30242	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: lenovo

Published: 2020-02-14T00:00:00

Updated: 2020-02-14T17:10:24

Reserved: 2019-12-12T00:00:00

Link: CVE-2019-19758

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-02-14T17:15:11.987

Modified: 2020-02-27T14:16:50.720

Link: CVE-2019-19758

JSON object: View

Redhat Information

No data.

CWE

CWE-601

{"containers": {"cna": {"affected": [{"product": "EZ Media & Backup Center ix2", "vendor": "Lenovo", "versions": [{"lessThanOrEqual": "4.1.406.34763", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "EZ Media & Backup Center ix2-dl", "vendor": "Lenovo", "versions": [{"lessThanOrEqual": "4.1.406.34763", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Lenovo thanks Mostafa Noureldin for reporting this issue."}], "datePublic": "2020-02-14T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the web interface of Lenovo EZ Media & Backup Center, ix2 & ix2-dl version 4.1.406.34763 and prior could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-02-14T17:10:24", "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.lenovo.com/us/en/product_security/LEN-30242"}], "solutions": [{"lang": "en", "value": "Lenovo has ended support for Lenovo EZ Media & Backup Center, ix2 & ix2-dl as of March 31, 2019, therefore Lenovo recommends discontinuation of use. If it is not feasible to discontinue use, Lenovo recommends using the device only on trusted networks and clicking on device URLs only from trustworthy sources."}], "source": {"advisory": "LEN-30242", "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@lenovo.com", "DATE_PUBLIC": "2020-02-14T17:00:00.000Z", "ID": "CVE-2019-19758", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "EZ Media & Backup Center ix2", "version": {"version_data": [{"version_affected": "<=", "version_value": "4.1.406.34763"}]}}, {"product_name": "EZ Media & Backup Center ix2-dl", "version": {"version_data": [{"version_affected": "<=", "version_value": "4.1.406.34763"}]}}]}, "vendor_name": "Lenovo"}]}}, "credit": [{"lang": "eng", "value": "Lenovo thanks Mostafa Noureldin for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the web interface of Lenovo EZ Media & Backup Center, ix2 & ix2-dl version 4.1.406.34763 and prior could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}]}, "references": {"reference_data": [{"name": "https://support.lenovo.com/us/en/product_security/LEN-30242", "refsource": "MISC", "url": "https://support.lenovo.com/us/en/product_security/LEN-30242"}]}, "solution": [{"lang": "en", "value": "Lenovo has ended support for Lenovo EZ Media & Backup Center, ix2 & ix2-dl as of March 31, 2019, therefore Lenovo recommends discontinuation of use. If it is not feasible to discontinue use, Lenovo recommends using the device only on trusted networks and clicking on device URLs only from trustworthy sources."}], "source": {"advisory": "LEN-30242", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "assignerShortName": "lenovo", "cveId": "CVE-2019-19758", "datePublished": "2020-02-14T00:00:00", "dateReserved": "2019-12-12T00:00:00", "dateUpdated": "2020-02-14T17:10:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:ez_media_\\&_backup_center_ix2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3ADE8A7F-717E-4F61-99FC-40EE723687C6", "versionEndIncluding": "4.1.406.34763", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:ez_media_\\&_backup_center_ix2:-:*:*:*:*:*:*:*", "matchCriteriaId": "9566563C-73FB-4470-BAAA-7C1A07A02B31", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:ez_media_\\&_backup_center_ix2-dl_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9ED80D16-0202-4C61-8AD1-85EFF41F7E5B", "versionEndIncluding": "-4.1.406.34763", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:ez_media_\\&_backup_center_ix2-dl:-:*:*:*:*:*:*:*", "matchCriteriaId": "5DAD19F8-49D2-444B-B451-15120383D017", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the web interface of Lenovo EZ Media & Backup Center, ix2 & ix2-dl version 4.1.406.34763 and prior could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz web de Lenovo EZ Media & Backup Center, ix2 & ix2-dl versiones 4.1.406.34763 y anteriores, lo que podr\u00eda permitir a un atacante no autenticado remoto redireccionar a un usuario hacia una p\u00e1gina web no confiable."}], "id": "CVE-2019-19758", "lastModified": "2020-02-27T14:16:50.720", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "psirt@lenovo.com", "type": "Secondary"}]}, "published": "2020-02-14T17:15:11.987", "references": [{"source": "psirt@lenovo.com", "tags": ["Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/LEN-30242"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-601"}], "source": "psirt@lenovo.com", "type": "Secondary"}]}