cnvd - cnvd-2024-34032

cnvd-2024-34032

Vulnerability from cnvd

Title: LG Simple Editor本地权限提升漏洞

Description:

LG Simple Editor是韩国乐金（LG）公司的一个简易编辑器，通过简化流程和在标牌上即时播放来创建新内容。

LG Simple Editor存在本地权限提升漏洞，攻击者可利用该漏洞提升权限。

Severity: 中

Formal description:

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.lg.com/global/business/lg-simple-editor

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40516

Impacted products

Name
LG Simple Editor

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-40516",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-40516"
    }
  },
  "description": "LG Simple Editor\u662f\u97e9\u56fd\u4e50\u91d1\uff08LG\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u7b80\u6613\u7f16\u8f91\u5668\uff0c\u901a\u8fc7\u7b80\u5316\u6d41\u7a0b\u548c\u5728\u6807\u724c\u4e0a\u5373\u65f6\u64ad\u653e\u6765\u521b\u5efa\u65b0\u5185\u5bb9\u3002\n\nLG Simple Editor\u5b58\u5728\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u5347\u6743\u9650\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.lg.com/global/business/lg-simple-editor",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-34032",
  "openTime": "2024-07-30",
  "products": {
    "product": "LG Simple Editor"
  },
  "referenceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40516",
  "serverity": "\u4e2d",
  "submitTime": "2024-07-19",
  "title": "LG Simple Editor\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

CVE-2023-40516 (GCVE-0-2023-40516)

Vulnerability from cvelistv5

Published

2024-05-03 02:11

Modified

2024-09-18 18:29

Severity ?

7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-732 - Incorrect Permission Assignment for Critical Resource

Summary

LG Simple Editor Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of LG Simple Editor. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The product sets incorrect permissions on folders. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-20327.

References

▼	URL	Tags
	https://www.zerodayinitiative.com/advisories/ZDI-23-1218/	x_research-advisory

Impacted products

	Vendor	Product	Version
	LG	Simple Editor	Version: LG Simple Editor 3.21.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:lg:simple_editor:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "simple_editor",
            "vendor": "lg",
            "versions": [
              {
                "lessThan": "3.21.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-40516",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-09T20:32:20.922996Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-23T20:25:22.689Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:38:49.310Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "ZDI-23-1218",
            "tags": [
              "x_research-advisory",
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1218/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Simple Editor",
          "vendor": "LG",
          "versions": [
            {
              "status": "affected",
              "version": "LG Simple Editor 3.21.0"
            }
          ]
        }
      ],
      "dateAssigned": "2023-08-14T16:14:46.886-05:00",
      "datePublic": "2023-08-24T16:13:49.465-05:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "LG Simple Editor Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of LG Simple Editor. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the product installer. The product sets incorrect permissions on folders. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-20327."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-18T18:29:57.502Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-23-1218",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1218/"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
      },
      "title": "LG Simple Editor Incorrect Permission Assignment Local Privilege Escalation Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2023-40516",
    "datePublished": "2024-05-03T02:11:41.380Z",
    "dateReserved": "2023-08-14T21:06:28.917Z",
    "dateUpdated": "2024-09-18T18:29:57.502Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted