CRITICAL🇵🇱 Wersja polska

CVE-2023-40500

CVSS 9.8v3.1pub. 2024-05-03upd. 2025-04-10

LG Simple Editor copyContent Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the copyContent command. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. . Was ZDI-CAN-19944.

🤖 AI Analysis
How it works

The vulnerability lies in the implementation of the copyContent command, which does not perform proper validation of the path supplied by the user before using it in file operations. An attacker can send a crafted network request containing a malicious path, leading to arbitrary code execution. The exploit does not require any authentication or user interaction.

Impact

An attacker can execute arbitrary code in the context of the SYSTEM account, which means complete takeover of the attacked machine, including reading and modifying data as well as installing malicious software.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Details available in the Zero Day Initiative advisory: ZDI-23-1206.

Who is affected

LG Simple Editor — versions indicated in the manufacturer's references (ZDI-CAN-19944)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lg Simple Editor

    APP
    Lg
    3.21.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2023-40497CRITICAL9.8PL ✓ten sam produkt

LG Simple Editor — path traversal umożliwiający zdalny RCE jako SYSTEM

CVE-2023-40494CRITICAL9.1PL ✓ten sam produkt

LG Simple Editor — path traversal umożliwiający usunięcie dowolnych plików

CVE-2023-40493CRITICAL9.8PL ✓ten sam produkt

LG Simple Editor — path traversal umożliwiający RCE jako SYSTEM

CVE-2023-40492CRITICAL9.1PL ✓ten sam produkt

LG Simple Editor — path traversal umożliwiający usunięcie dowolnych plików

CVE-2023-40498CRITICAL9.8PL ✓ten sam produkt

LG Simple Editor: path traversal w komendzie cp umożliwia RCE jako SYSTEM