CVE-2023-6318

Name of the Vulnerable Software and Affected Versions LG WebOS versions 5 through 7 LG WebOS versions 5.5.0 through 6.3.3-442 LG WebOS version 7.3.1-43

Description A command injection issue exists in the processAnalyticsReport() method of the com.webos.service.cloudupload service. This allows a remote attacker to execute arbitrary commands as the root user by sending specially crafted requests. The vulnerability stems from a failure to neutralize special elements used in operating system commands. Additionally, command injection flaws exist in the getAudioMetadata() method of the com.webos.service.attachedstoragemanager service and the tv/setVlanStaticAddress service of com.webos.service.connectionmanager. Exploitation of these vulnerabilities can allow a remote attacker to execute arbitrary commands, either as the root user or as the dbus user, through crafted requests. A vulnerability also exists in the secondscreen.gateway service related to bypassing the authorization mechanism by modifying variable settings, potentially allowing a remote attacker to create a privileged user account.

Recommendations For webOS versions prior to 5.5.0, apply the necessary updates to address the vulnerability. For webOS version 5.5.0 through 6.3.3-442, apply the necessary updates to address the vulnerability. For webOS version 7.3.1-43, apply the necessary updates to address the vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.