Cyber Resilience

CVE-2023-6900

MediumPublic PoC

Published: 17 December 2023

Published
17 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.6 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
EPSS Score 0.0006 18.7th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6900 is a medium-severity Path Traversal: '../filedir' (CWE-24) vulnerability in Rmountjoy92 Dashmachine. Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Direct Volume Access (T1006); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, has been found in rmountjoy92 DashMachine 0.5-4. Affected by this issue is some unknown functionality of the file /settings/delete_file. The manipulation of the argument file leads to path traversal: '../filedir'. The exploit has…

more

been disclosed to the public and may be used. VDB-248258 is the identifier assigned to this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1006 Direct Volume Access Stealth
Adversaries may directly access a volume to bypass file access controls and file system monitoring.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal in /settings/delete_file enables arbitrary file deletion via public-facing web app (T1190), direct filesystem access (T1006), and file deletion for evasion or impact (T1070.004, T1107).

Affected Assets

rmountjoy92
dashmachine
0.5-4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References