CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4616 – thumbnail Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability
https://notcve.org/view.php?id=CVE-2023-4616
04 Sep 2023 — This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user. • https://lgsecurity.lge.com/bulletins/idproducts#updateDetails • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4615 – updateFile Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability
https://notcve.org/view.php?id=CVE-2023-4615
04 Sep 2023 — This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user. • https://lgsecurity.lge.com/bulletins/idproducts#updateDetails • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2023-4614 – setThumbnailRC Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability
https://notcve.org/view.php?id=CVE-2023-4614
04 Sep 2023 — This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/installation/setThumbnailRc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. • https://lgsecurity.lge.com/bulletins/idproducts#updateDetails • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2023-4613 – Upload Directory Path Traversal Allows Unauthenticated Arbitrary File Read Vulnerability
https://notcve.org/view.php?id=CVE-2023-4613
04 Sep 2023 — This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/settings/upload endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. • https://lgsecurity.lge.com/bulletins/idproducts#updateDetails • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •