A vulnerability, which was classified as critical, has been found in rmountjoy92 DashMachine 0.5-4. Affected by this issue is some unknown functionality of the file /settings/delete_file. The manipulation of the argument file leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. VDB-248258 is the identifier assigned to this vulnerability.
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
| Link | Tags |
|---|---|
| https://vuldb.com/?id.248258 | third party advisory vdb entry technical description |
| https://vuldb.com/?ctiid.248258 | signature third party advisory permissions required |
| https://treasure-blarney-085.notion.site/DashMachine-Arbitrary-File-Deletion-ab44f2fe68e843c393ae9e0c1d487676 | third party advisory exploit |