← back
CVE-2023-6319

Command injection in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service

CVSS 9.1 CRITICALEPSS 6.4%CWE-78
A command injection vulnerability exists in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service on webOS version 4 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability. * webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA  * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA  * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB  * webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected products
LG · webOS
public PoCs found1
githubgithub.com/illixion/root-my-webos-tv50
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/https://lgsecurity.lge.com/bulletins/tv#updateDetails