Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for lg_led_assistant by lg

    CVE-2024-2863 (GCVE-0-2024-2863)

    Vulnerability from nvd – Published: 2024-03-25 06:39 – Updated: 2024-08-01 19:25
    VLAI
    Title
    Path traversal via file upload on LG LED Assistant
    Summary
    This vulnerability allows remote attackers to traverse paths via file upload on the affected LG LED Assistant.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-35 - Path Traversal: '.../...//'
    Assigner
    LGE
    Impacted products
    Vendor Product Version
    LG Electronics LG LED Assistant Affected: 2.1.65
    Create a notification for this product.
    lg lg_led_assistant Unknown: 0
        cpe:2.3:a:lg:lg_led_assistant:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:lg:lg_led_assistant:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "lg_led_assistant",
                "vendor": "lg",
                "versions": [
                  {
                    "status": "unknown",
                    "version": "0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2863",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-01T17:43:44.115980Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-01T17:52:34.767Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:25:42.156Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LG LED Assistant",
              "vendor": "LG Electronics",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.1.65"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This vulnerability allows remote attackers to traverse paths via file upload on the affected LG LED Assistant."
                }
              ],
              "value": "This vulnerability allows remote attackers to traverse paths via file upload on the affected LG LED Assistant."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-35",
                  "description": "CWE-35: Path Traversal: \u0027.../...//\u0027",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-25T08:41:29.086Z",
            "orgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
            "shortName": "LGE"
          },
          "references": [
            {
              "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Path traversal via file upload on LG LED Assistant",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
        "assignerShortName": "LGE",
        "cveId": "CVE-2024-2863",
        "datePublished": "2024-03-25T06:39:46.717Z",
        "dateReserved": "2024-03-25T06:11:39.846Z",
        "dateUpdated": "2024-08-01T19:25:42.156Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-2862 (GCVE-0-2024-2862)

    Vulnerability from nvd – Published: 2024-03-25 06:31 – Updated: 2024-08-28 13:44
    VLAI
    Title
    Password reset vulnerability without authorization on LG LED Assistant
    Summary
    This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    LGE
    Impacted products
    Vendor Product Version
    LG Electronics LG LED Assistant Affected: 2.1.65
    Create a notification for this product.
    lg lg_led_assistant Affected: 2.1.65
        cpe:2.3:a:lg:lg_led_assistant:2.1.65:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:25:42.153Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:lg:lg_led_assistant:2.1.65:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "lg_led_assistant",
                "vendor": "lg",
                "versions": [
                  {
                    "status": "affected",
                    "version": "2.1.65"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2862",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-25T19:16:55.600564Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-28T13:44:03.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LG LED Assistant",
              "vendor": "LG Electronics",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.1.65"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\nThis vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.\n\n"
                }
              ],
              "value": "\nThis vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-50",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-50 Password Recovery Exploitation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-25T06:33:31.760Z",
            "orgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
            "shortName": "LGE"
          },
          "references": [
            {
              "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Password reset vulnerability without authorization on LG LED Assistant",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
        "assignerShortName": "LGE",
        "cveId": "CVE-2024-2862",
        "datePublished": "2024-03-25T06:31:34.651Z",
        "dateReserved": "2024-03-25T06:11:38.644Z",
        "dateUpdated": "2024-08-28T13:44:03.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4616 (GCVE-0-2023-4616)

    Vulnerability from nvd – Published: 2023-09-04 10:42 – Updated: 2024-09-30 18:48
    VLAI
    Title
    thumbnail Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability
    Summary
    This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    LGE
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.594Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1223/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4616",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T18:48:02.758597Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T18:48:13.074Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LG-LED Assistant",
              "vendor": "LG Electronics",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.1.45"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user."
                }
              ],
              "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-64",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-04T10:42:39.941Z",
            "orgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
            "shortName": "LGE"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1223/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "thumbnail Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
        "assignerShortName": "LGE",
        "cveId": "CVE-2023-4616",
        "datePublished": "2023-09-04T10:42:14.846Z",
        "dateReserved": "2023-08-30T08:06:54.779Z",
        "dateUpdated": "2024-09-30T18:48:13.074Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4615 (GCVE-0-2023-4615)

    Vulnerability from nvd – Published: 2023-09-04 10:39 – Updated: 2024-09-30 18:49
    VLAI
    Title
    updateFile Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability
    Summary
    This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    LGE
    References
    Impacted products
    Date Public
    2023-08-25 10:35
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.632Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1224/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4615",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T18:49:14.882408Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T18:49:27.510Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LG-LED Assistant",
              "vendor": "LG Electronics",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.1.45"
                }
              ]
            }
          ],
          "datePublic": "2023-08-25T10:35:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user."
                }
              ],
              "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-64",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-04T10:39:40.286Z",
            "orgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
            "shortName": "LGE"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1224/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "updateFile Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
        "assignerShortName": "LGE",
        "cveId": "CVE-2023-4615",
        "datePublished": "2023-09-04T10:39:30.389Z",
        "dateReserved": "2023-08-30T08:06:53.638Z",
        "dateUpdated": "2024-09-30T18:49:27.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4614 (GCVE-0-2023-4614)

    Vulnerability from nvd – Published: 2023-09-04 10:33 – Updated: 2024-09-30 18:50
    VLAI
    Title
    setThumbnailRC Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability
    Summary
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/installation/setThumbnailRc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    LGE
    References
    Impacted products
    Date Public
    2023-08-25 10:32
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.627Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1222/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4614",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T18:49:57.611094Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T18:50:07.356Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LG-LED Assistant",
              "vendor": "LG Electronics",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.1.45"
                }
              ]
            }
          ],
          "datePublic": "2023-08-25T10:32:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/installation/setThumbnailRc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user."
                }
              ],
              "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/installation/setThumbnailRc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-253",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-253 Remote Code Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-04T10:45:20.197Z",
            "orgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
            "shortName": "LGE"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1222/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "setThumbnailRC Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
        "assignerShortName": "LGE",
        "cveId": "CVE-2023-4614",
        "datePublished": "2023-09-04T10:33:28.596Z",
        "dateReserved": "2023-08-30T08:06:51.973Z",
        "dateUpdated": "2024-09-30T18:50:07.356Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4613 (GCVE-0-2023-4613)

    Vulnerability from nvd – Published: 2023-09-04 08:16 – Updated: 2024-09-30 18:50
    VLAI
    Title
    Upload Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability
    Summary
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/settings/upload endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    LGE
    References
    Impacted products
    Date Public
    2023-08-22 07:59
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.542Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1221/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4613",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T18:50:37.562278Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T18:50:46.494Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LG-LED Assistant",
              "vendor": "LG Electronics",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.1.45"
                }
              ]
            }
          ],
          "datePublic": "2023-08-22T07:59:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/settings/upload endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user."
                }
              ],
              "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/settings/upload endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-253",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-253 Remote Code Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-04T10:44:18.427Z",
            "orgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
            "shortName": "LGE"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1221/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Upload Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
        "assignerShortName": "LGE",
        "cveId": "CVE-2023-4613",
        "datePublished": "2023-09-04T08:16:27.817Z",
        "dateReserved": "2023-08-30T08:06:37.751Z",
        "dateUpdated": "2024-09-30T18:50:46.494Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-2863 (GCVE-0-2024-2863)

    Vulnerability from cvelistv5 – Published: 2024-03-25 06:39 – Updated: 2024-08-01 19:25
    VLAI
    Title
    Path traversal via file upload on LG LED Assistant
    Summary
    This vulnerability allows remote attackers to traverse paths via file upload on the affected LG LED Assistant.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-35 - Path Traversal: '.../...//'
    Assigner
    LGE
    Impacted products
    Vendor Product Version
    LG Electronics LG LED Assistant Affected: 2.1.65
    Create a notification for this product.
    lg lg_led_assistant Unknown: 0
        cpe:2.3:a:lg:lg_led_assistant:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:lg:lg_led_assistant:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "lg_led_assistant",
                "vendor": "lg",
                "versions": [
                  {
                    "status": "unknown",
                    "version": "0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2863",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-01T17:43:44.115980Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-01T17:52:34.767Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:25:42.156Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LG LED Assistant",
              "vendor": "LG Electronics",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.1.65"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This vulnerability allows remote attackers to traverse paths via file upload on the affected LG LED Assistant."
                }
              ],
              "value": "This vulnerability allows remote attackers to traverse paths via file upload on the affected LG LED Assistant."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-35",
                  "description": "CWE-35: Path Traversal: \u0027.../...//\u0027",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-25T08:41:29.086Z",
            "orgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
            "shortName": "LGE"
          },
          "references": [
            {
              "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Path traversal via file upload on LG LED Assistant",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
        "assignerShortName": "LGE",
        "cveId": "CVE-2024-2863",
        "datePublished": "2024-03-25T06:39:46.717Z",
        "dateReserved": "2024-03-25T06:11:39.846Z",
        "dateUpdated": "2024-08-01T19:25:42.156Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-2862 (GCVE-0-2024-2862)

    Vulnerability from cvelistv5 – Published: 2024-03-25 06:31 – Updated: 2024-08-28 13:44
    VLAI
    Title
    Password reset vulnerability without authorization on LG LED Assistant
    Summary
    This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    LGE
    Impacted products
    Vendor Product Version
    LG Electronics LG LED Assistant Affected: 2.1.65
    Create a notification for this product.
    lg lg_led_assistant Affected: 2.1.65
        cpe:2.3:a:lg:lg_led_assistant:2.1.65:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:25:42.153Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:lg:lg_led_assistant:2.1.65:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "lg_led_assistant",
                "vendor": "lg",
                "versions": [
                  {
                    "status": "affected",
                    "version": "2.1.65"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2862",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-25T19:16:55.600564Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-28T13:44:03.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LG LED Assistant",
              "vendor": "LG Electronics",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.1.65"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\nThis vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.\n\n"
                }
              ],
              "value": "\nThis vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-50",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-50 Password Recovery Exploitation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-25T06:33:31.760Z",
            "orgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
            "shortName": "LGE"
          },
          "references": [
            {
              "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Password reset vulnerability without authorization on LG LED Assistant",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
        "assignerShortName": "LGE",
        "cveId": "CVE-2024-2862",
        "datePublished": "2024-03-25T06:31:34.651Z",
        "dateReserved": "2024-03-25T06:11:38.644Z",
        "dateUpdated": "2024-08-28T13:44:03.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4616 (GCVE-0-2023-4616)

    Vulnerability from cvelistv5 – Published: 2023-09-04 10:42 – Updated: 2024-09-30 18:48
    VLAI
    Title
    thumbnail Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability
    Summary
    This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    LGE
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.594Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1223/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4616",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T18:48:02.758597Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T18:48:13.074Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LG-LED Assistant",
              "vendor": "LG Electronics",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.1.45"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user."
                }
              ],
              "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-64",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-04T10:42:39.941Z",
            "orgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
            "shortName": "LGE"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1223/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "thumbnail Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
        "assignerShortName": "LGE",
        "cveId": "CVE-2023-4616",
        "datePublished": "2023-09-04T10:42:14.846Z",
        "dateReserved": "2023-08-30T08:06:54.779Z",
        "dateUpdated": "2024-09-30T18:48:13.074Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4615 (GCVE-0-2023-4615)

    Vulnerability from cvelistv5 – Published: 2023-09-04 10:39 – Updated: 2024-09-30 18:49
    VLAI
    Title
    updateFile Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability
    Summary
    This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    LGE
    References
    Impacted products
    Date Public
    2023-08-25 10:35
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.632Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1224/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4615",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T18:49:14.882408Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T18:49:27.510Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LG-LED Assistant",
              "vendor": "LG Electronics",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.1.45"
                }
              ]
            }
          ],
          "datePublic": "2023-08-25T10:35:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user."
                }
              ],
              "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-64",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-04T10:39:40.286Z",
            "orgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
            "shortName": "LGE"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1224/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "updateFile Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
        "assignerShortName": "LGE",
        "cveId": "CVE-2023-4615",
        "datePublished": "2023-09-04T10:39:30.389Z",
        "dateReserved": "2023-08-30T08:06:53.638Z",
        "dateUpdated": "2024-09-30T18:49:27.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4614 (GCVE-0-2023-4614)

    Vulnerability from cvelistv5 – Published: 2023-09-04 10:33 – Updated: 2024-09-30 18:50
    VLAI
    Title
    setThumbnailRC Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability
    Summary
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/installation/setThumbnailRc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    LGE
    References
    Impacted products
    Date Public
    2023-08-25 10:32
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.627Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1222/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4614",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T18:49:57.611094Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T18:50:07.356Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LG-LED Assistant",
              "vendor": "LG Electronics",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.1.45"
                }
              ]
            }
          ],
          "datePublic": "2023-08-25T10:32:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/installation/setThumbnailRc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user."
                }
              ],
              "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/installation/setThumbnailRc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-253",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-253 Remote Code Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-04T10:45:20.197Z",
            "orgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
            "shortName": "LGE"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1222/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "setThumbnailRC Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
        "assignerShortName": "LGE",
        "cveId": "CVE-2023-4614",
        "datePublished": "2023-09-04T10:33:28.596Z",
        "dateReserved": "2023-08-30T08:06:51.973Z",
        "dateUpdated": "2024-09-30T18:50:07.356Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4613 (GCVE-0-2023-4613)

    Vulnerability from cvelistv5 – Published: 2023-09-04 08:16 – Updated: 2024-09-30 18:50
    VLAI
    Title
    Upload Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability
    Summary
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/settings/upload endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    LGE
    References
    Impacted products
    Date Public
    2023-08-22 07:59
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.542Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1221/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4613",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T18:50:37.562278Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T18:50:46.494Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LG-LED Assistant",
              "vendor": "LG Electronics",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.1.45"
                }
              ]
            }
          ],
          "datePublic": "2023-08-22T07:59:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/settings/upload endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user."
                }
              ],
              "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/settings/upload endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-253",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-253 Remote Code Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-04T10:44:18.427Z",
            "orgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
            "shortName": "LGE"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1221/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Upload Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "42f21055-226c-4bce-a3c8-ecf55a3551fb",
        "assignerShortName": "LGE",
        "cveId": "CVE-2023-4613",
        "datePublished": "2023-09-04T08:16:27.817Z",
        "dateReserved": "2023-08-30T08:06:37.751Z",
        "dateUpdated": "2024-09-30T18:50:46.494Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }