CVE-2023-4616

This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.
Configurations

Configuration 1 (hide)

cpe:2.3:a:lg:lg_led_assistant:2.1.45:*:*:*:*:*:*:*

History

21 Nov 2024, 08:35

Type Values Removed Values Added
References () https://lgsecurity.lge.com/bulletins/idproducts#updateDetails - Vendor Advisory () https://lgsecurity.lge.com/bulletins/idproducts#updateDetails - Vendor Advisory
References () https://www.zerodayinitiative.com/advisories/ZDI-23-1223/ - Third Party Advisory, VDB Entry () https://www.zerodayinitiative.com/advisories/ZDI-23-1223/ - Third Party Advisory, VDB Entry

08 Sep 2023, 14:14

Type Values Removed Values Added
References (MISC) https://lgsecurity.lge.com/bulletins/idproducts#updateDetails - (MISC) https://lgsecurity.lge.com/bulletins/idproducts#updateDetails - Vendor Advisory
References (MISC) https://www.zerodayinitiative.com/advisories/ZDI-23-1223/ - (MISC) https://www.zerodayinitiative.com/advisories/ZDI-23-1223/ - Third Party Advisory, VDB Entry
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CWE CWE-22
First Time Lg lg Led Assistant
Lg
CPE cpe:2.3:a:lg:lg_led_assistant:2.1.45:*:*:*:*:*:*:*

04 Sep 2023, 11:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-04 11:15

Updated : 2024-11-21 08:35


NVD link : CVE-2023-4616

Mitre link : CVE-2023-4616

CVE.ORG link : CVE-2023-4616


JSON object : View

Products Affected

lg

  • lg_led_assistant
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')