CVSS: 9.1EPSS: 2%CPEs: 1EXPL: 0CVE-2023-6320 – Command injection in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint
https://notcve.org/view.php?id=CVE-2023-6320
09 Apr 2024 — A command injection vulnerability exists in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint on webOS versions 5 and 6. A series of specially crafted requests can lead to command execution as the dbus user. An attacker can make authenticated requests to trigger this vulnerability. Full versions and TV models affected: * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB Existe una vulnerabilidad de inyección de comand... • https://bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.1EPSS: 37%CPEs: 4EXPL: 1CVE-2023-6319 – Command injection in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service
https://notcve.org/view.php?id=CVE-2023-6319
09 Apr 2024 — A command injection vulnerability exists in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service on webOS version 4 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability. * webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB * webOS 7.3.1-43 (mul... • https://github.com/illixion/root-my-webos-tv • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.1EPSS: 2%CPEs: 1EXPL: 0CVE-2023-6318 – Command injection in the processAnalyticsReport method from the com.webos.service.cloudupload service
https://notcve.org/view.php?id=CVE-2023-6318
09 Apr 2024 — A command injection vulnerability exists in the processAnalyticsReport method from the com.webos.service.cloudupload service on webOS version 5 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability. Full versions and TV models affected: * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB * webOS 7.3.1-43 (mullet-mebin) - 03.... • https://bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6317 – PIN/prompt bypass on the secondscreen.gateway service allows access to the SSAP API without user interaction
https://notcve.org/view.php?id=CVE-2023-6317
09 Apr 2024 — A prompt bypass exists in the secondscreen.gateway service running on webOS version 4 through 7. An attacker can create a privileged account without asking the user for the security PIN. Full versions and TV models affected: webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA webOS 5.5.0 - 04.50.51 running on OLED55CXPUA webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA Existe una omisión rápida en el servicio secondscreen.gatewa... • https://bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23731
https://notcve.org/view.php?id=CVE-2022-23731
11 Mar 2022 — V8 javascript engine (heap vulnerability) can cause privilege escalation ,which can impact on some webOS TV models. El motor de javascript V8 (vulnerabilidad de pila) puede causar una escalada de privilegios, que puede afectar a algunos modelos de TV con webOS • https://github.com/DavidBuchanan314/WAMpage • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23730
https://notcve.org/view.php?id=CVE-2022-23730
11 Mar 2022 — The public API error causes for the attacker to be able to bypass API access control. Un error de la API pública causa que el atacante pueda omitir el control de acceso a la API • https://lgsecurity.lge.com/bulletins/tv • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23727
https://notcve.org/view.php?id=CVE-2022-23727
28 Jan 2022 — There is a privilege escalation vulnerability in some webOS TVs. Due to wrong setting environments, local attacker is able to perform specific operation to exploit this vulnerability. Exploitation may cause the attacker to obtain a higher privilege Se presenta una vulnerabilidad de escalada de privilegios en algunos televisores webOS. Debido a entornos de configuración erróneos, un atacante local es capaz de llevar a cabo una operación específica para explotar esta vulnerabilidad. Una explotación puede caus... • https://lgsecurity.lge.com/bulletins/tv •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-9759 – webOS TV Emulator privilege escalation vulnerability
https://notcve.org/view.php?id=CVE-2020-9759
23 Mar 2020 — A Vulnerability of LG Electronic web OS TV Emulator could allow an attacker to escalate privileges and overwrite certain files. This vulnerability is due to wrong environment setting. An attacker could exploit this vulnerability through crafted configuration files and executable files. Una vulnerabilidad del emulador de TV de LG Electronic web OS podría permitir a un atacante escalar privilegios y sobrescribir ciertos archivos. Esta vulnerabilidad se debe a una configuración incorrecta del entorno. • https://blog.recurity-labs.com/2021-02-03/webOS_Pt1.html • CWE-494: Download of Code Without Integrity Check •