Scan free
HIGHCVE-2023-40499CVSS 8.2

CVE-2023-40499: Directory Traversal in LG Simple Editor

Platform

windows

Component

lg-simple-editor

Fixed in

3.21.1

AI Confidence: highNVDEPSS 1.9%Reviewed: May 2026
View on NVD
Save

CVE-2023-40499 is a directory traversal vulnerability discovered in LG Simple Editor. This flaw allows unauthenticated remote attackers to delete arbitrary files on affected systems, potentially leading to significant data loss and system instability. The vulnerability impacts versions 3.21.0 and earlier. A fix is pending from LG.

Impact and Attack Scenarios

The directory traversal vulnerability in LG Simple Editor allows an attacker to bypass intended file system restrictions. By crafting malicious requests, an attacker can manipulate the mkdir command within the makeDetailContent method to specify arbitrary file paths. Successful exploitation allows the attacker to delete files on the system with SYSTEM privileges. This could lead to the deletion of critical system files, configuration data, or sensitive user information. The potential impact extends beyond data loss, as an attacker could potentially disrupt system operations or gain further access to the compromised environment. This vulnerability shares characteristics with other directory traversal exploits where insufficient input validation leads to unauthorized file system access.

Exploitation Context

CVE-2023-40499 was publicly disclosed on May 3, 2024. It is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature suggests a relatively low barrier to exploitation. The vulnerability was originally reported as ZDI-CAN-19926.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

1.88% (83% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H8.2HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentlg-simple-editor
VendorLG
Affected rangeFixed in
LG Simple Editor 3.21.0 – LG Simple Editor 3.21.03.21.1

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 751 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2023-40499 is to upgrade to a patched version of LG Simple Editor as soon as it becomes available. Until a patch is released, implement strict file access controls to limit the directories accessible by the LG Simple Editor process. Consider using a Web Application Firewall (WAF) to filter requests containing suspicious path manipulation attempts. Monitor system logs for unusual file deletion activity. Restrict network access to the LG Simple Editor service to only authorized users and systems.

How to fix

Actualizar a una versión parcheada del LG Simple Editor. Si no hay una versión parcheada disponible, considere desinstalar el software o evitar su uso hasta que se publique una actualización.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2023-40499 — Directory Traversal in LG Simple Editor?

CVE-2023-40499 is a directory traversal vulnerability in LG Simple Editor versions 3.21.0 and earlier, allowing attackers to delete arbitrary files.

Am I affected by CVE-2023-40499 in LG Simple Editor?

You are affected if you are using LG Simple Editor version 3.21.0 or earlier. Check your version and upgrade as soon as a patch is available.

How do I fix CVE-2023-40499 in LG Simple Editor?

Upgrade to a patched version of LG Simple Editor as soon as it is released. Until then, implement strict file access controls and consider using a WAF.

Is CVE-2023-40499 being actively exploited?

While active exploitation has not been widely confirmed, the vulnerability's nature suggests a low barrier to exploitation, and it is likely to be targeted.

Where can I find the official LG advisory for CVE-2023-40499?

Refer to the LG security advisory page for updates and the latest information regarding CVE-2023-40499.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs