4 results (0.005 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user. • https://lgsecurity.lge.com/bulletins/idproducts#updateDetails https://www.zerodayinitiative.com/advisories/ZDI-23-1223 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user. • https://lgsecurity.lge.com/bulletins/idproducts#updateDetails https://www.zerodayinitiative.com/advisories/ZDI-23-1224 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0

This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/installation/setThumbnailRc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. • https://lgsecurity.lge.com/bulletins/idproducts#updateDetails https://www.zerodayinitiative.com/advisories/ZDI-23-1222 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0

This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/settings/upload endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. • https://lgsecurity.lge.com/bulletins/idproducts#updateDetails https://www.zerodayinitiative.com/advisories/ZDI-23-1221 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •