Cyber Resilience

CVE-2023-40502

Critical

Published: 03 May 2024

Published
03 May 2024
Modified
10 April 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.2734 96.5th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-40502 is a critical-severity Path Traversal (CWE-22) vulnerability in Lg Simple Editor. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

LG Simple Editor contains a directory traversal vulnerability in its cropImage command that permits unauthenticated remote attackers to delete arbitrary files. The flaw stems from insufficient validation of user-supplied path parameters before they are used in file operations, allowing deletion in the context of the SYSTEM account. The issue was originally reported as ZDI-CAN-19951 and carries a CVSS 3.1 score of 9.1.

An attacker with network access can invoke the cropImage functionality directly, supplying a crafted path to remove any file on the affected system without requiring credentials or user interaction. Successful exploitation results in high-impact integrity and availability loss while leaving confidentiality unaffected.

The Zero Day Initiative published advisory ZDI-23-1194 detailing the vulnerability. The current EPSS score stands at 0.2734 with an identical peak value, indicating no material post-disclosure rise in observed exploitation interest.

EU & UK References

Vulnerability details

LG Simple Editor cropImage Directory Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the…

more

implementation of the cropImage command. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM. . Was ZDI-CAN-19951.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lg
simple editor
3.21.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References