cbcvebase.
CVE-2024-2863
published 2024-03-25

CVE-2024-2863: This vulnerability allows remote attackers to traverse paths via file upload on the affected LG LED Assistant.

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.97%
99.2th percentile
This vulnerability allows remote attackers to traverse paths via file upload on the affected LG LED Assistant.

Affected

2 ranges
VendorProductVersion rangeFixed in
lglg_led_assistant
lg_electronicslg_led_assistant

Detection & IOCsextracted from sources · hover to see the quote

url/api/thumbnail
sigma
shodan-query: 'http.title:"LG LED Assistant" OR http.title:"LED Assistant"'
  • Monitor for unauthenticated POST requests to /api/thumbnail containing path traversal sequences (e.g., '../') in the 'fileName' parameter, indicating an attempt to write files outside the intended directory.
  • The Nuclei template uses target_filename '/../../../../../../Users/Public/poc_test.txt' and target_fileStr 'bWFsaWNpb3VzIGNvbnRlbnQ%3d' as the POST body to /api/thumbnail — watch for these patterns in web logs.
  • The vulnerability requires no authentication (PR:N, UI:N); any source IP can exploit it. Prioritize blocking or alerting on external access to /api/thumbnail on port 8787.
  • ·The affected product is LG LED Assistant v2.1.65 specifically; no patch or vendor mitigation was available at time of disclosure.
  • ·At time of writing, no vendor patch or recommended mitigation exists for this vulnerability.
  • ·The vulnerable endpoint handler is located in Common.js; the traversal occurs via the 'fileName' POST parameter which is not sanitized before use in file write operations.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.