cbcvebase.
CVE-2023-40498
published 2024-05-03

CVE-2023-40498: LG Simple Editor cp Command Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
82.96%
99.6th percentile
LG Simple Editor cp Command Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the cp command implemented in the makeDetailContent method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. . Was ZDI-CAN-19925.

Affected

2 ranges
VendorProductVersion rangeFixed in
lgsimple_editor
lgsimple_editor

Detection & IOCsextracted from sources · hover to see the quote

url/simpleeditor/imageManager/uploadImage.do
url/simpleeditor/fileSystem/makeDetailContent.do
command{"command":"cp","option":"-f","srcPath":"<file>.bmp","destPath":"<file>.jsp"}
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS LG Simple Editor Malicious JSP Disguised as BMP Upload Attempt (CVE-2023-40498)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/simpleeditor/imageManager/uploadImage.do"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|uploadFile|22 3b 20|filename|3d 22|"; content:".bmp|22 0d 0a|"; within:40; content:"Content-Type|3a 20|image/bmp|0d 0a|Content-Transfer-Encoding|3a 20|binary|0d 0a 0d 0a|"; within:150; content:"|3c 25 40|page import|3d 22|java.io."; within:60; reference:url,attackerkb.com/topics/qB3G1ymgSh/cve-2023-40498; reference:cve,2023-40498; classtype:attempted-admin; sid:2049212; rev:3;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS LG Simple Editor Rename Malicious BMP to JSP Attempt (CVE-2023-40498)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/simpleeditor/fileSystem/makeDetailContent.do"; fast_pattern; http.request_body; content:"|7b 22|command|22 3a 22|cp|22 2c 22|option|22 3a 22|-f|22 2c 22|srcPath|22 3a 22|"; content:".bmp|22 2c 22|destPath|22 3a 22|"; within:100; content:".jsp|22 7d|"; within:50; reference:url,attackerkb.com/topics/qB3G1ymgSh/cve-2023-40498; reference:cve,2023-40498; classtype:attempted-admin; sid:2049213; rev:3;)
bytes
|3c 25 40| page import|3d 22|java.io.
bytes
|7b 22|command|22 3a 22|cp|22 2c 22|option|22 3a 22|-f|22 2c 22|srcPath|22 3a 22|
  • Two-stage attack: Stage 1 uploads a malicious JSP payload disguised as a .bmp file via the uploadImage endpoint; Stage 2 uses the cp command via makeDetailContent to rename the .bmp to .jsp for execution.
  • No authentication is required to exploit this vulnerability; monitor for unauthenticated POST requests to the two identified endpoints.
  • Detect JSP webshell content (<%@ page import="java.io...") embedded inside a file uploaded with a .bmp extension and Content-Type: image/bmp.
  • Detect the directory traversal rename step: POST body containing JSON cp command with srcPath ending in .bmp and destPath ending in .jsp targeting makeDetailContent.do.
  • The vulnerable code path is the makeDetailContent method; the cp command lacks path validation, enabling directory traversal to place the renamed .jsp in a web-accessible location.
  • ·Vulnerability affects LG Simple Editor versions prior to v3.21 only; ensure version scoping before deploying detections to avoid false positives on patched installations.
  • ·Snort/Suricata rules (sid:2049212, sid:2049213) are tuned for perimeter and internal deployment with low performance impact; confirm $HOME_NET variable correctly scopes LG Simple Editor server IPs.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.