CVE-2025-10204

A vulnerability has been discovered in AC Smart II where passwords can be changed without authorization. This page contains a hidden form for resetting the administrator password. The attacker can manipulate the page using developer tools to display and use the form. This form allows you to change the administrator password without verifying login status or user permissions.

CVSS

No CVSS.

References

Link	Resource
https://lgsecurity.lge.com/bulletins

Configurations

No configuration.

History

14 Sep 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-14 13:15

Updated : 2025-09-14 13:15

NVD link : CVE-2025-10204

Mitre link : CVE-2025-10204

CVE.ORG link : CVE-2025-10204

JSON object : View

Products Affected

No product.

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2025-10204", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "product.security@lge.com"}], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "product.security@lge.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-09-14T13:15:32.067", "references": [{"url": "https://lgsecurity.lge.com/bulletins", "source": "product.security@lge.com"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "product.security@lge.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been discovered in AC Smart II where passwords can be changed without authorization.\u00a0This page contains a hidden form for resetting the administrator password.\u00a0The attacker can manipulate the page using developer tools to display and use the form.\u00a0This form allows you to change the administrator password without verifying login status or user permissions."}], "lastModified": "2025-09-14T13:15:32.067", "sourceIdentifier": "product.security@lge.com"}

CVE-2025-10204

JSON object

Attach tags to CVE-2025-10204

Attach tags to `CVE-2025-10204`