CVE-2018-9080

Summary

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, by setting the Iomega cookie to a known value before logging into the NAS's web application, the NAS will not provide the user a new cookie value. This allows an attacker who knows the cookie's value to compromise the user's session.

Affected Software

VendorProductVersion RangeStatus
Lenovo Group LTDIomega StorCenter4.1.402.34662 <= 4.1.402.34662affected
Lenovo Group LTDLenovoEMC4.1.402.34662 <= 4.1.402.34662affected
Lenovo Group LTDEZ Media and Backup Center4.1.402.34662 <= 4.1.402.34662affected

Weaknesses

  • Session fixation

ADP Enrichment

CVE Program Container

Additional References

References