This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.
History

Mon, 30 Sep 2024 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: LGE

Published: 2023-09-04T10:39:30.389Z

Updated: 2024-09-30T18:49:27.510Z

Reserved: 2023-08-30T08:06:53.638Z

Link: CVE-2023-4615

cve-icon Vulnrichment

Updated: 2024-08-02T07:31:06.632Z

cve-icon NVD

Status : Modified

Published: 2023-09-04T11:15:41.657

Modified: 2024-11-21T08:35:33.010

Link: CVE-2023-4615

cve-icon Redhat

No data.