CVE-2018-9078

Name of the Vulnerable Software and Affected Versions Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier

Description The Content Explorer application in the affected devices allows users to upload files to shares, including SVG images, without proper restrictions. These images are rendered in the browser within the device's origin instead of prompting the user to download them. As a result, malicious users can upload SVG images containing arbitrary JavaScript code, which is evaluated when a victim requests to download the file.

Recommendations For versions 4.1.402.34662 and earlier, consider disabling the file upload feature in the Content Explorer application until a patch is available to prevent the upload of malicious SVG images. Restrict access to the Content Explorer application to minimize the risk of exploitation. Avoid using the Content Explorer application to upload or download files until the issue is resolved.