This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.
References
Link | Resource |
---|---|
https://lgsecurity.lge.com/bulletins/idproducts#updateDetails | Vendor Advisory |
https://www.zerodayinitiative.com/advisories/ZDI-23-1223/ | Third Party Advisory VDB Entry |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: LGE
Published: 2023-09-04T10:42:14.846Z
Updated: 2023-09-04T10:42:39.941Z
Reserved: 2023-08-30T08:06:54.779Z
Link: CVE-2023-4616
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-09-04T11:15:41.747
Modified: 2023-09-08T14:14:22.880
Link: CVE-2023-4616
JSON object: View
Redhat Information
No data.
CWE