Cyber Resilience

CVE-2023-40497

Critical

Published: 03 May 2024

Published
03 May 2024
Modified
10 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3658 97.2th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-40497 is a critical-severity Path Traversal (CWE-22) vulnerability in Lg Simple Editor. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

LG Simple Editor is affected by CVE-2023-40497, a directory traversal vulnerability in the saveXml command inside the makeDetailContent method. The flaw stems from missing validation of user-supplied paths before they are used in file operations, enabling remote code execution with SYSTEM privileges on vulnerable installations.

Unauthenticated remote attackers can exploit the issue over the network to run arbitrary code in the context of the SYSTEM account, achieving full control of the target system. The vulnerability carries a CVSS 3.1 base score of 9.8 and was originally reported as ZDI-CAN-19924.

The Zero Day Initiative advisory ZDI-23-1203 documents the flaw, though the available references do not detail specific patches or mitigation steps. The EPSS score has reached 0.3658 with no material change from its peak value.

EU & UK References

Vulnerability details

LG Simple Editor saveXml Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the…

more

saveXml command implemented in the makeDetailContent method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. . Was ZDI-CAN-19924.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lg
simple editor
3.21.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References