CVE-2023-40506

EPSS 0.1%
Published 03.05.2024 03:15:25
Last modified 10.04.2025 14:39:30
Source zdi-disclosures@trendmicro.com
Teams watchlist Login
Open Login

LG Simple Editor copyContent XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the implementation of the copyContent command. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.
. Was ZDI-CAN-20005.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Lg ≫ Simple Editor Version3.21.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.277

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
zdi-disclosures@trendmicro.com	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://www.zerodayinitiative.com/advisories/ZDI-23-1210/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-40506

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-40506

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-40506

EUVD