This vulnerability allows remote attackers to execute arbitrary code on the affected webOS of LG Signage.
Max CVSS
6.3
EPSS Score
0.04%
Published
2024-02-26
Updated
2024-02-29
This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.
Max CVSS
7.5
EPSS Score
0.15%
Published
2023-09-04
Updated
2023-09-08
This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.
Max CVSS
7.5
EPSS Score
0.15%
Published
2023-09-04
Updated
2023-09-08
This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/installation/setThumbnailRc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user.
Max CVSS
9.8
EPSS Score
1.85%
Published
2023-09-04
Updated
2023-09-08
This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/settings/upload endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user.
Max CVSS
9.8
EPSS Score
1.85%
Published
2023-09-04
Updated
2023-09-08
When LG SmartShare is installed, local privilege escalation is possible through DLL Hijacking attack. The LG ID is LVE-HOT-220005.
Max CVSS
7.8
EPSS Score
0.05%
Published
2022-11-21
Updated
2022-11-23
V8 javascript engine (heap vulnerability) can cause privilege escalation ,which can impact on some webOS TV models.
Max CVSS
7.8
EPSS Score
0.04%
Published
2022-03-11
Updated
2022-03-18
The public API error causes for the attacker to be able to bypass API access control.
Max CVSS
9.8
EPSS Score
0.23%
Published
2022-03-11
Updated
2023-07-03
There is a privilege escalation vulnerability in some webOS TVs. Due to wrong setting environments, local attacker is able to perform specific operation to exploit this vulnerability. Exploitation may cause the attacker to obtain a higher privilege
Max CVSS
7.8
EPSS Score
0.04%
Published
2022-01-28
Updated
2023-07-03
Network Attached Storage on LG N1T1*** 10124 devices allows an unauthenticated attacker to gain root access via OS command injection in the en/ajp/plugins/access.ssh/checkInstall.php destServer parameter.
Max CVSS
10.0
EPSS Score
1.95%
Published
2021-08-24
Updated
2021-09-09
A Vulnerability of LG Electronic web OS TV Emulator could allow an attacker to escalate privileges and overwrite certain files. This vulnerability is due to wrong environment setting. An attacker could exploit this vulnerability through crafted configuration files and executable files.
Max CVSS
9.3
EPSS Score
0.09%
Published
2020-03-23
Updated
2022-04-22
A vulnerability that can hijack a DLL file that is loaded during products(LGPCSuite_Setup, IPSFULLHD, LG_ULTRAWIDE, ULTRA_HD_Driver Setup) installation into a DLL file that the hacker wants. Missing Support for Integrity Check vulnerability in ____COMPONENT____ of LG Electronics (LGPCSuite_Setup), (IPSFULLHD, LG_ULTRAWIDE, ULTRA_HD_Driver Setup) allows ____ATTACKER/ATTACK____ to cause ____IMPACT____. This issue affects: LG Electronics; LGPCSuite_Setup : 1.0.0.3 on Windows(x86, x64); IPSFULLHD, LG_ULTRAWIDE, ULTRA_HD_Driver Setup : 1.0.0.9 on Windows(x86, x64).
Max CVSS
5.6
EPSS Score
0.06%
Published
2020-09-14
Updated
2020-09-21
An issue was discovered in LG Bridge before April 2019 on Windows. DLL Hijacking can occur.
Max CVSS
7.8
EPSS Score
0.06%
Published
2020-04-29
Updated
2021-07-21
An issue was discovered in LG PC Suite for LG G3 and earlier (aka LG PC Suite v5.3.27 and earlier). DLL Hijacking can occur via a Trojan horse DLL in the current working directory. The LG ID is LVE-MOT-190001 (November 2019).
Max CVSS
7.8
EPSS Score
0.06%
Published
2020-04-17
Updated
2021-07-21
The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality that allows low-privileged users to read and write arbitrary physical memory via specially crafted IOCTL requests and elevate system privileges. This occurs because the device object has an associated symbolic link and an open DACL.
Max CVSS
7.0
EPSS Score
0.13%
Published
2019-02-18
Updated
2019-02-26
An issue was discovered on LG GAMP-7100, GAPM-7200, and GAPM-8000 routers. An unauthenticated user can read a log file via an HTTP request containing its full pathname, such as http://192.168.0.1/var/gapm7100_${today's_date}.log for reading a filename such as gapm7100_190101.log.
Max CVSS
7.5
EPSS Score
0.55%
Published
2019-05-13
Updated
2021-07-21
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
Max CVSS
9.8
EPSS Score
88.05%
Published
2018-09-21
Updated
2019-05-06
LG LNB*, LND*, LNU*, and LNV* smart network camera devices have broken access control. Attackers are able to download /updownload/t.report (aka Log & Report) files and download backup files (via download.php) without authenticating. These backup files contain user credentials and configuration information for the camera device. An attacker is able to discover the backup filename via reading the system logs or report data, or just by brute-forcing the backup filename pattern. It may be possible to authenticate to the admin account with the admin password.
Max CVSS
7.5
EPSS Score
47.57%
Published
2018-09-12
Updated
2019-10-03
LG SuperSign CMS allows TVs to be rebooted remotely without authentication via a direct HTTP request to /qsr_server/device/reboot on port 9080.
Max CVSS
7.8
EPSS Score
0.12%
Published
2018-09-14
Updated
2020-08-24
LG SuperSign CMS allows reading of arbitrary files via signEzUI/playlist/edit/upload/..%2f URIs.
Max CVSS
8.6
EPSS Score
12.06%
Published
2018-09-14
Updated
2018-11-07
LG SuperSign CMS allows file upload via signEzUI/playlist/edit/upload/..%2f URIs.
Max CVSS
9.8
EPSS Score
0.58%
Published
2018-09-14
Updated
2018-11-07
LG SuperSign CMS allows authentication bypass because the CAPTCHA requirement is skipped if a captcha:pass cookie is sent, and because the PIN is limited to four digits.
Max CVSS
9.8
EPSS Score
0.66%
Published
2018-09-14
Updated
2018-11-07

CVE-2018-14839

Known exploited
LG N1A1 NAS 3718.510 is affected by: Remote Command Execution. The impact is: execute arbitrary code (remote). The attack vector is: HTTP POST with parameters.
Max CVSS
9.8
EPSS Score
8.57%
Published
2019-05-14
Updated
2019-10-03
CISA KEV Added
2022-03-25
A hardware vulnerability in GPU memory modules allows attackers to accelerate micro-architectural attacks through the use of the JavaScript WebGL API.
Max CVSS
5.8
EPSS Score
0.12%
Published
2018-05-04
Updated
2019-10-03
An issue was discovered on LG devices using the MTK chipset with L(5.0/5.1), M(6.0/6.0.1), and N(7.0) software, and RCA Voyager Tablet, BLU Advance 5.0, and BLU R1 HD devices. The MTKLogger app with a package name of com.mediatek.mtklogger has application components that are accessible to any application that resides on the device. Namely, the com.mediatek.mtklogger.framework.LogReceiver and com.mediatek.mtklogger.framework.MTKLoggerService application components are exported since they contain an intent filter, are not protected by a custom permission, and do not explicitly set the android:exported attribute to false. Therefore, these components are exported by default and are thus accessible to any third party application by using android.content.Intent object for communication. These application components can be used to start and stop the logs using Intent objects with embedded data. The available logs are the GPS log, modem log, network log, and mobile log. The base directory that contains the directories for the 4 types of logs is /sdcard/mtklog which makes them accessible to apps that require the READ_EXTERNAL_STORAGE permission. The GPS log contains the GPS coordinates of the user as well as a timestamp for the coordinates. The modem log contains AT commands and their parameters which allow the user's outgoing and incoming calls and text messages to be obtained. The network log is a tcpdump network capture. The mobile log contains the Android log, which is not available to third-party apps as of Android 4.1. The LG ID is LVE-SMP-160019.
Max CVSS
5.5
EPSS Score
0.07%
Published
2017-01-13
Updated
2017-03-16
29 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!