6.3.3442

CVSS 7.2 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

NVD

Published: 2024-04-09

Updated: 2025-02-07

Summary

A command injection vulnerability exists in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint on webOS versions 5 and 6. A series of specially crafted requests can lead to command execution as the dbus user. An attacker can make authenticated requests to trigger this vulnerability. Full versions and TV models affected: * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB

Vulnerable Configurations

Part	Description	Count
OS	Lg LG Webos 5.5.0 LG Webos 6.3.3-442	2
Hardware	Lg LG Oled55Cxpua - LG Oled48C1Pub -	2

References

https://bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/
https://bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/
https://lgsecurity.lge.com/bulletins/tv#updateDetails
https://lgsecurity.lge.com/bulletins/tv#updateDetails