Lucene search

BitdefenderCVELIST:CVE-2023-6320

HistoryApr 09, 2024 - 1:43 p.m.

CVE-2023-6320 Command injection in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint

2024-04-0913:43:35

CWE-78

Bitdefender

www.cve.org

cve-2023

webos

vulnerability

command injection

authenticated requests

oled55cxpua

oled48c1pub

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.7%

JSON

A command injection vulnerability exists in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint on webOS versions 5 and 6. A series of specially crafted requests can lead to command execution as the dbus user. An attacker can make authenticated requests to trigger this vulnerability.

Full versions and TV models affected:

webOS 5.5.0 - 04.50.51 running on OLED55CXPUA
webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "webOS",
    "vendor": "LG",
    "versions": [
      {
        "status": "affected",
        "version": "5.5.0"
      },
      {
        "status": "affected",
        "version": "6.3.3-442"
      }
    ]
  }
]

References

bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/

lgsecurity.lge.com/bulletins/tv#updateDetails

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.7%

JSON

Related for CVELIST:CVE-2023-6320