9.1

CVE-2023-6319

Exploit
A command injection vulnerability exists in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service on webOS version 4 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability.

  *  webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA 

  *  webOS 5.5.0 - 04.50.51 running on OLED55CXPUA 

  *  webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB 

  *  webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LgWebos Version4.9.7
   LgLg43um7000pla Version-
LgWebos Version5.5.0
   LgOled55cxpua Version-
LgWebos Version6.3.3-442
   LgOled48c1pub Version-
LgWebos Version7.3.1-43
   LgOled55a23la Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 9.15% 0.924
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cve-requests@bitdefender.com 9.1 2.3 6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.