MidnightBSD

Advisories for lg

CVE-2013-3666 HIGH

The LG Hidden Menu component for Android on the LG Optimus G E973 allows physically proximate attackers to execute arbitrary commands by entering USB Debugging mode, using Android Debug Bridge (adb) to establish a USB connection, dialing 3845#*973#, modifying the WLAN Test Wi-Fi Ping Test/User Command tcpdump command string, and pressing the CANCEL button.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
google android 4.1.2
lg optimus_g_e973 -
CVE-2014-7243 MEDIUM

LG Electronics Mobile WiFi router L-09C, L-03E, and L-04D does not restrict access to the web administration interface, which allows remote attackers to obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
lg l-03e -
lg l-04d -
lg l-09c -
CVE-2014-7252 MEDIUM

Multiple unspecified vulnerabilities in the Syslink driver for Texas Instruments OMAP mobile processor, as used on NTT DOCOMO ARROWS Tab LTE F-01D, ARROWS X LTE F-05D, Disney Mobile on docomo F-08D, REGZA Phone T-01D, and PRADA phone by LG L-02D; and SoftBank SHARP handsets 102SH allow local users to execute arbitrary code or read kernel memory via unknown vectors related to userland data and "improper data validation."

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fujitsu regza_phone_t-01d -
fujitsu arrows_tab_lte_f-01d *
disney_interactive disney_mobile -
fujitsu arrows_x_lte_f-05d -
sharp softbank_102sh -
lg prada_phone_l-02d -
CVE-2014-8757 HIGH

LG On-Screen Phone (OSP) before 4.3.010 allows remote attackers to bypass authorization via a crafted request.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,

Products Affected

Vendor Product Version
lg on-screen_phone *
CVE-2016-10135 MEDIUM

An issue was discovered on LG devices using the MTK chipset with L(5.0/5.1), M(6.0/6.0.1), and N(7.0) software, and RCA Voyager Tablet, BLU Advance 5.0, and BLU R1 HD devices. The MTKLogger app with a package name of com.mediatek.mtklogger has application components that are accessible to any application that resides on the device. Namely, the com.mediatek.mtklogger.framework.LogReceiver and com.mediatek.mtklogger.framework.MTKLoggerService application components are exported since they contain an intent filter, are not protected by a custom permission, and do not explicitly set the android:exported attribute to false. Therefore, these components are exported by default and are thus accessible to any third party application by using android.content.Intent object for communication. These application components can be used to start and stop the logs using Intent objects with embedded data. The available logs are the GPS log, modem log, network log, and mobile log. The base directory that contains the directories for the 4 types of logs is /sdcard/mtklog which makes them accessible to apps that require the READ_EXTERNAL_STORAGE permission. The GPS log contains the GPS coordinates of the user as well as a timestamp for the coordinates. The modem log contains AT commands and their parameters which allow the user's outgoing and incoming calls and text messages to be obtained. The network log is a tcpdump network capture. The mobile log contains the Android log, which is not available to third-party apps as of Android 4.1. The LG ID is LVE-SMP-160019.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
lg lg_mobile 6.0
lg lg_mobile 7.0
lg lg_mobile 6.0.1
lg lg_mobile 5.1
lg lg_mobile 5.0
CVE-2018-10229 MEDIUM

A hardware vulnerability in GPU memory modules allows attackers to accelerate micro-architectural attacks through the use of the JavaScript WebGL API.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
google chrome -
mozilla firefox -
lg nexus_5 -
CVE-2018-14839 HIGH

LG N1A1 NAS 3718.510 is affected by: Remote Command Execution. The impact is: execute arbitrary code (remote). The attack vector is: HTTP POST with parameters.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
lg n1a1_firmware 3718.510
CVE-2018-16286 MEDIUM

LG SuperSign CMS allows authentication bypass because the CAPTCHA requirement is skipped if a captcha:pass cookie is sent, and because the PIN is limited to four digits.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
lg supersign_cms -
CVE-2018-16287 HIGH

LG SuperSign CMS allows file upload via signEzUI/playlist/edit/upload/..%2f URIs.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
lg supersign_cms -
CVE-2018-16288 HIGH

LG SuperSign CMS allows reading of arbitrary files via signEzUI/playlist/edit/upload/..%2f URIs.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-200,

Products Affected

Vendor Product Version
lg supersign_cms 2.5
CVE-2018-16706 HIGH

LG SuperSign CMS allows TVs to be rebooted remotely without authentication via a direct HTTP request to /qsr_server/device/reboot on port 9080.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-425,

Products Affected

Vendor Product Version
lg supersign_cms -
CVE-2018-16946 MEDIUM

LG LNB*, LND*, LNU*, and LNV* smart network camera devices have broken access control. Attackers are able to download /updownload/t.report (aka Log & Report) files and download backup files (via download.php) without authenticating. These backup files contain user credentials and configuration information for the camera device. An attacker is able to discover the backup filename via reading the system logs or report data, or just by brute-forcing the backup filename pattern. It may be possible to authenticate to the admin account with the admin password.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-552,

Products Affected

Vendor Product Version
lg lnb7210_firmware *
lg lnd3230r_firmware *
lg lnb5110_firmware *
lg lnu5320r_firmware *
lg lnd7210_firmware *
lg lnu5110r_firmware *
lg lnb5320_firmware *
lg lnv5320r_firmware *
lg lnv7210r_firmware *
lg lnd5220r_firmware *
lg lnd7210r_firmware *
lg lnd5110r_firmware *
lg lnu3230r_firmware *
lg lnd5110_firmware *
lg lnb5320r_firmware *
lg lnv7210_firmware *
lg lnu7210r_firmware *
lg lnv5110r_firmware *
CVE-2018-17173 HIGH

LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
lg supersign_cms 2.5
CVE-2019-20769 MEDIUM

An issue was discovered in LG PC Suite for LG G3 and earlier (aka LG PC Suite v5.3.27 and earlier). DLL Hijacking can occur via a Trojan horse DLL in the current working directory. The LG ID is LVE-MOT-190001 (November 2019).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,

Products Affected

Vendor Product Version
lg pc_suite *
CVE-2019-20781 MEDIUM

An issue was discovered in LG Bridge before April 2019 on Windows. DLL Hijacking can occur.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,

Products Affected

Vendor Product Version
lg bridge *
CVE-2019-7404 MEDIUM

An issue was discovered on LG GAMP-7100, GAPM-7200, and GAPM-8000 routers. An unauthenticated user can read a log file via an HTTP request containing its full pathname, such as http://192.168.0.1/var/gapm7100_${today's_date}.log for reading a filename such as gapm7100_190101.log.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
lg gamp-7100_firmware -
lg gapm-7200_firmware -
lg gapm-8000_firmware -
CVE-2019-8372 MEDIUM

The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality that allows low-privileged users to read and write arbitrary physical memory via specially crafted IOCTL requests and elevate system privileges. This occurs because the device object has an associated symbolic link and an open DACL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-59,

Products Affected

Vendor Product Version
lg lha.sys *
CVE-2020-7807 LOW

A vulnerability that can hijack a DLL file that is loaded during products(LGPCSuite_Setup, IPSFULLHD, LG_ULTRAWIDE, ULTRA_HD_Driver Setup) installation into a DLL file that the hacker wants. Missing Support for Integrity Check vulnerability in ____COMPONENT____ of LG Electronics (LGPCSuite_Setup), (IPSFULLHD, LG_ULTRAWIDE, ULTRA_HD_Driver Setup) allows ____ATTACKER/ATTACK____ to cause ____IMPACT____. This issue affects: LG Electronics; LGPCSuite_Setup : 1.0.0.3 on Windows(x86, x64); IPSFULLHD, LG_ULTRAWIDE, ULTRA_HD_Driver Setup : 1.0.0.9 on Windows(x86, x64).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vuln@krcert.or.kr 5.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H 0.3 5.2
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-353,CWE-354,

Products Affected

Vendor Product Version
lg ipsfullhd 1.0.0.3
lg lgpcsuite_setup 1.0.0.9
lg lg_ultrawide 1.0.0.3
lg ultra_hd_driver_setup 1.0.0.3
CVE-2020-9759 HIGH

A Vulnerability of LG Electronic web OS TV Emulator could allow an attacker to escalate privileges and overwrite certain files. This vulnerability is due to wrong environment setting. An attacker could exploit this vulnerability through crafted configuration files and executable files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 4.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 1.5 2.7
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-494,

Products Affected

Vendor Product Version
lg webos -
CVE-2021-38306 HIGH

Network Attached Storage on LG N1T1*** 10124 devices allows an unauthenticated attacker to gain root access via OS command injection in the en/ajp/plugins/access.ssh/checkInstall.php destServer parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
lg n1t1_firmware -
CVE-2022-23727 MEDIUM

There is a privilege escalation vulnerability in some webOS TVs. Due to wrong setting environments, local attacker is able to perform specific operation to exploit this vulnerability. Exploitation may cause the attacker to obtain a higher privilege

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
lg webos *
CVE-2022-23730 HIGH

The public API error causes for the attacker to be able to bypass API access control.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,NVD-CWE-Other,

Products Affected

Vendor Product Version
lg webos *
CVE-2022-23731 MEDIUM

V8 javascript engine (heap vulnerability) can cause privilege escalation ,which can impact on some webOS TV models.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
lg webos *
CVE-2022-45422

When LG SmartShare is installed, local privilege escalation is possible through DLL Hijacking attack. The LG ID is LVE-HOT-220005.

Products Affected

Vendor Product Version
lg smart_share -
CVE-2023-40492

LG Simple Editor deleteCheckSession Directory Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the deleteCheckSession method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM. . Was ZDI-CAN-19919.

Products Affected

Vendor Product Version
lg simple_editor 3.21.0
CVE-2023-40517

LG SuperSign Media Editor ContentRestController getObject Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG SuperSign Media Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getObject method implemented in the ContentRestController class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-20328.

Products Affected

Vendor Product Version
lg supersign_media_editor 3.11.3_20171108
CVE-2023-41181

LG SuperSign Media Editor getSubFolderList Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG SuperSign Media Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getSubFolderList method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-20330.

Products Affected

Vendor Product Version
lg supersign_media_editor 3.11.3_20171108
CVE-2023-4613

This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/settings/upload endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
product.security@lge.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
lg lg_led_assistant 2.1.45
CVE-2023-4614

This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/installation/setThumbnailRc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
product.security@lge.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
lg lg_led_assistant 2.1.45
CVE-2023-4615

This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
product.security@lge.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
lg lg_led_assistant 2.1.45
CVE-2023-4616

This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
product.security@lge.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
lg lg_led_assistant 2.1.45
CVE-2023-6317

A prompt bypass exists in the secondscreen.gateway service running on webOS version 4 through 7. An attacker can create a privileged account without asking the user for the security PIN.  Full versions and TV models affected: webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA webOS 5.5.0 - 04.50.51 running on OLED55CXPUA webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB   webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-requests@bitdefender.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N 3.9 2.7

Products Affected

Vendor Product Version
lg webos 5.5.0
lg webos 6.3.3-442
lg webos 7.3.1-43
lg webos 4.9.7
CVE-2023-6318

A command injection vulnerability exists in the processAnalyticsReport method from the com.webos.service.cloudupload service on webOS version 5 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability. Full versions and TV models affected: * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA  * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB  * webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-requests@bitdefender.com 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

Products Affected

Vendor Product Version
lg webos 5.5.0
lg webos 6.3.3-442
lg webos 7.3.1-43
CVE-2023-6319

A command injection vulnerability exists in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service on webOS version 4 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability. * webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA  * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA  * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB  * webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-requests@bitdefender.com 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

Products Affected

Vendor Product Version
lg webos 5.5.0
lg webos 6.3.3-442
lg webos 7.3.1-43
lg webos 4.9.7
CVE-2023-6320

A command injection vulnerability exists in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint on webOS versions 5 and 6. A series of specially crafted requests can lead to command execution as the dbus user. An attacker can make authenticated requests to trigger this vulnerability. Full versions and TV models affected: * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA  * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-requests@bitdefender.com 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

Products Affected

Vendor Product Version
lg webos 5.5.0
lg webos 6.3.3-442
CVE-2024-1885

This vulnerability allows remote attackers to execute arbitrary code on the affected webOS of LG Signage.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
product.security@lge.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
lg webos_signage 6.0.0-56
CVE-2024-1886

This vulnerability allows remote attackers to traverse the directory on the affected webOS of LG Signage.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
product.security@lge.com 3.0 LOW CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 1.5 1.4

Products Affected

Vendor Product Version
lg webos_signage 6.0.0-56
CVE-2024-6177

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in LG Electronics SuperSign CMS allows Reflected XSS. This issue affects SuperSign CMS: from 4.1.3 before < 4.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
lg supersign_cms *
CVE-2024-6178

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LG Electronics SuperSign CMS allows Reflected XSS. This issue affects SuperSign CMS: from 4.1.3 before < 4.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
lg supersign_cms *
CVE-2024-6179

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LG Electronics SuperSign CMS allows Reflected XSS. This issue affects SuperSign CMS: from 4.1.3 before < 4.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
lg supersign_cms *