A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call.
Solution:
The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.
Link | Tags |
---|---|
https://support.lenovo.com/us/en/product_security/LEN-154748 | vendor advisory |