Lucene search

[email protected]NVD:CVE-2023-6320

HistoryApr 09, 2024 - 2:15 p.m.

CVE-2023-6320

2024-04-0914:15:08

CWE-78

[email protected]

web.nvd.nist.gov

webos

command injection

vulnerability

setvlanstaticaddress

authenticated requests

oled55cxpua

oled48c1pub

dbus user

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

Percentile

9.6%

JSON

A command injection vulnerability exists in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint on webOS versions 5 and 6. A series of specially crafted requests can lead to command execution as the dbus user. An attacker can make authenticated requests to trigger this vulnerability.

Full versions and TV models affected:

webOS 5.5.0 - 04.50.51 running on OLED55CXPUA
webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB

References

bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/

lgsecurity.lge.com/bulletins/tv#updateDetails

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

Percentile

9.6%

JSON

Related for NVD:CVE-2023-6320

vulnrichment1 cve1 cvelist1 thn1