Lucene search

[email protected]NVD:CVE-2023-6318

HistoryApr 09, 2024 - 2:15 p.m.

CVE-2023-6318

2024-04-0914:15:07

CWE-78

[email protected]

web.nvd.nist.gov

command injection vulnerability

webos version 5

webos version 6

webos version 7

authenticated requests

root user

oled55cxpua

oled48c1pub

oled55a23la

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.7%

JSON

A command injection vulnerability exists in the processAnalyticsReport method from the com.webos.service.cloudupload service on webOS version 5 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability.

Full versions and TV models affected:

webOS 5.5.0 - 04.50.51 running on OLED55CXPUA
webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB
webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA

References

bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/

lgsecurity.lge.com/bulletins/tv#updateDetails

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.7%

JSON

Related for NVD:CVE-2023-6318

cvelist1 cve1 thn1