FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2023-6900

Path Traversal: '../filedir' (CWE-24)

Published: Dec 17, 2023 / Updated: 11mo ago

010
CVSS 9.1EPSS 0.05%Critical
CVE info copied to clipboard

Summary

CVE-2023-6900 is a path traversal vulnerability in the rmountjoy92 DashMachine 0.5-4 software. The vulnerable functionality is related to the /settings/delete_file endpoint, where the manipulation of the 'file' argument allows traversing out of the intended directory and deleting arbitrary files on the system. This could lead to data loss, system compromise, or denial of service.

Impact

An attacker exploiting this vulnerability could leverage the path traversal to delete sensitive system files, causing system instability, data loss, or even full system compromise if they can delete files required for proper functioning of the software or operating system. Depending on the files deleted, the impact could range from minor issues to complete denial of service.

Exploitation

One proof-of-concept exploit is available on notion.site. There is no evidence of proof of exploitation at the moment.

Patch

No patch information is provided, but since a public exploit exists, it is critical to update DashMachine to the latest patched version as soon as possible.

Mitigation

If updating is not immediately possible, apply strict input validation on the 'file' parameter to prevent traversal out of the intended directory. Filter out '../' sequences and ensure only intended files can be accessed or deleted. Also restrict access to the vulnerable endpoint as much as possible.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2023-6900

Dec 17, 2023 at 6:15 AM
First Article

Feedly found the first article mentioning CVE-2023-6900. See article

Dec 17, 2023 at 2:06 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Dec 17, 2023 at 2:07 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 12.4%)

Dec 18, 2023 at 2:57 PM
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Dec 20, 2023 at 3:10 PM
CVSS

A CVSS base score of 9.1 has been assigned.

Apr 11, 2024 at 1:27 AM / nvd
CVSS

A CVSS base score of 9.1 has been assigned.

May 14, 2024 at 3:09 PM / nvd
Static CVE Timeline Graph

Affected Systems

Rmountjoy92/dashmachine
+null more

Exploits

https://treasure-blarney-085.notion.site/DashMachine-Arbitrary-File-Deletion-ab44f2fe68e843c393ae9e0c1d487676
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

News

CVE-2023-6900 Exploit
inTheWild.io Exploits / 11mo
CVE Id : CVE-2023-6900 Published Date: 2023-12-20T20:35:00+00:00 A vulnerability, which was classified as critical, has been found in rmountjoy92 DashMachine 0.5-4. Affected by this issue is some unknown functionality of the file /settings/delete_file. The manipulation of the argument file leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. VDB-248258 is the identifier assigned to this vulnerability. inTheWild added a link to an exploit: https://treasure-blarney-085.notion.site/DashMachine-Arbitrary-File-Deletion-ab44f2fe68e843c393ae9e0c1d487676
NA - CVE-2023-6900 - A vulnerability, which was classified as...
Security-Database Alerts Monitor : Last 100 Alerts / 11mo
Cvss vector : N/A Overall CVSS Score NA Base Score NA Environmental Score NA impact SubScore NA Temporal Score NA Exploitabality Sub Score NA Calculate full CVSS 3.0 Vectors scores Cvss vector : Cvss Base Score N/A Attack Range N/A Cvss Impact Score N/A Attack Complexity N/A Cvss Expoit Score N/A Authentication N/A Calculate full CVSS 2.0 Vectors scores
CVE-2023-6900
Newest CVEs from Tenable / 11mo
Critical Severity Description A vulnerability, which was classified as critical, has been found in rmountjoy92 DashMachine 0.5-4. Affected by this issue is some unknown functionality of the file /settings/delete_file. The manipulation of the argument file leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. VDB-248258 is the identifier assigned to this vulnerability. Read more at https://www.tenable.com/cve/CVE-2023-6900
CVE-2023-6900
Vulners.com RSS Feed / 11mo
A vulnerability, which was classified as critical, has been found in rmountjoy92 DashMachine 0.5-4. Affected by this issue is some unknown functionality of the file /settings/delete_file. The manipulation of the argument file leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. VDB-248258 is the identifier assigned to this...
CVE-2023-6900
CyberSecurityBoard.com Cyber News | RSS Feed / 11mo
A vulnerability, which was classified as critical, has been found in rmountjoy92 DashMachine 0.5-4. Affected by this issue is some unknown functionality of the file /settings/delete_file. The manipulation of the argument file leads to path traversal: '../filedir'. The exploit has been disclosed to CVE-2023-6900 originally published on CyberSecurityBoard
See 2 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:High
Availability Impact:High

Categories

CVSS 9.1(27010)CWE-24(56)CWE-22(6658)Rmountjoy92(2)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial