CVE-2018-17173: Code Injection
First published: Fri Sep 21 2018(Updated: )
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| LG SuperSign CMS | =2.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-17173?
The severity of CVE-2018-17173 is critical with a score of 9.8.
How does CVE-2018-17173 allow remote attackers to execute arbitrary code?
CVE-2018-17173 allows remote attackers to execute arbitrary code through the sourceUri parameter in qsr_server/device/getThumbnail.
Which version of LG SuperSign CMS is affected by CVE-2018-17173?
Version 2.5 of LG SuperSign CMS is affected by CVE-2018-17173.
Are there any known exploits for CVE-2018-17173?
Yes, there are known exploits for CVE-2018-17173. Some references to these exploits can be found at: [reference 1](http://mamaquieroserpentester.blogspot.com/2018/09/lg-supersign-rce-to-luna-and-back-to.html), [reference 2](http://packetstormsecurity.com/files/152733/LG-Supersign-EZ-CMS-Remote-Code-Execution.html), and [reference 3](https://www.exploit-db.com/exploits/45448/).
What is the CWE category of CVE-2018-17173?
The CWE category of CVE-2018-17173 is CWE-94, which is for Improper Control of Generation of Code (Code Injection).
- collector/nvd-index
- agent/severity
- agent/references
- agent/author
- agent/weakness
- agent/type
- agent/event
- agent/last-modified-date
- agent/tags
- agent/description
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/lg
- canonical/lg supersign cms
- version/lg supersign cms/2.5