Lg
Products by Lg Sorted by Most Security Vulnerabilities since 2018
Known Exploited Lg Vulnerabilities
The following Lg vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
LG N1A1 NAS Remote Command Execution Vulnerability | LG N1A1 NAS 3718.510 is affected by a remote code execution vulnerability. CVE-2018-14839 | March 25, 2022 |
By the Year
In 2024 there have been 0 vulnerabilities in Lg . Last year Lg had 4 security vulnerabilities published. Right now, Lg is on track to have less security vulnerabilities in 2024 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 4 | 8.65 |
2022 | 4 | 8.30 |
2021 | 0 | 0.00 |
2020 | 2 | 7.80 |
2019 | 1 | 7.00 |
2018 | 6 | 8.38 |
It may take a day or so for new Lg vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Lg Security Vulnerabilities
This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant
CVE-2023-4614
9.8 - Critical
- September 04, 2023
This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/installation/setThumbnailRc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user.
Directory traversal
This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant
CVE-2023-4615
7.5 - High
- September 04, 2023
This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.
Directory traversal
This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant
CVE-2023-4616
7.5 - High
- September 04, 2023
This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user.
Directory traversal
This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant
CVE-2023-4613
9.8 - Critical
- September 04, 2023
This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/settings/upload endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user.
Directory traversal
When LG SmartShare is installed, local privilege escalation is possible through DLL Hijacking attack
CVE-2022-45422
7.8 - High
- November 21, 2022
When LG SmartShare is installed, local privilege escalation is possible through DLL Hijacking attack. The LG ID is LVE-HOT-220005.
DLL preloading
The public API error causes for the attacker to be able to bypass API access control.
CVE-2022-23730
9.8 - Critical
- March 11, 2022
The public API error causes for the attacker to be able to bypass API access control.
V8 javascript engine (heap vulnerability) can cause privilege escalation
CVE-2022-23731
7.8 - High
- March 11, 2022
V8 javascript engine (heap vulnerability) can cause privilege escalation ,which can impact on some webOS TV models.
There is a privilege escalation vulnerability in some webOS TVs
CVE-2022-23727
7.8 - High
- January 28, 2022
There is a privilege escalation vulnerability in some webOS TVs. Due to wrong setting environments, local attacker is able to perform specific operation to exploit this vulnerability. Exploitation may cause the attacker to obtain a higher privilege
An issue was discovered in LG Bridge before April 2019 on Windows
CVE-2019-20781
7.8 - High
- April 29, 2020
An issue was discovered in LG Bridge before April 2019 on Windows. DLL Hijacking can occur.
Improper Privilege Management
A Vulnerability of LG Electronic web OS TV Emulator could allow an attacker to escalate privileges and overwrite certain files
CVE-2020-9759
7.8 - High
- March 23, 2020
A Vulnerability of LG Electronic web OS TV Emulator could allow an attacker to escalate privileges and overwrite certain files. This vulnerability is due to wrong environment setting. An attacker could exploit this vulnerability through crafted configuration files and executable files.
Download of Code Without Integrity Check
The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality
CVE-2019-8372
7 - High
- February 18, 2019
The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality that allows low-privileged users to read and write arbitrary physical memory via specially crafted IOCTL requests and elevate system privileges. This occurs because the device object has an associated symbolic link and an open DACL.
insecure temporary file
LG SuperSign CMS allows remote attackers to execute arbitrary code
CVE-2018-17173
9.8 - Critical
- September 21, 2018
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
Code Injection
LG SuperSign CMS allows TVs to be rebooted remotely without authentication
CVE-2018-16706
7.5 - High
- September 14, 2018
LG SuperSign CMS allows TVs to be rebooted remotely without authentication via a direct HTTP request to /qsr_server/device/reboot on port 9080.
forced browsing
LG SuperSign CMS allows reading of arbitrary files via signEzUI/playlist/edit/upload/
CVE-2018-16288
8.6 - High
- September 14, 2018
LG SuperSign CMS allows reading of arbitrary files via signEzUI/playlist/edit/upload/..%2f URIs.
Information Disclosure
LG SuperSign CMS allows file upload via signEzUI/playlist/edit/upload/
CVE-2018-16287
9.8 - Critical
- September 14, 2018
LG SuperSign CMS allows file upload via signEzUI/playlist/edit/upload/..%2f URIs.
Unrestricted File Upload
LG SuperSign CMS allows authentication bypass
CVE-2018-16286
9.8 - Critical
- September 14, 2018
LG SuperSign CMS allows authentication bypass because the CAPTCHA requirement is skipped if a captcha:pass cookie is sent, and because the PIN is limited to four digits.
authentification