CVE-2023-23607
CRITICALdasherr < 1.05.00 - Unauthenticated Arbitrary File Upload and Remote Code Execution via filesave.php
Title source: llmDescription
erohtar/Dasherr is a dashboard for self-hosted services. In affected versions unrestricted file upload allows any unauthenticated user to execute arbitrary code on the server. The file /www/include/filesave.php allows for any file to uploaded to anywhere. If an attacker uploads a php file they can execute code on the server. This issue has been addressed in version 1.05.00. Users are advised to upgrade. There are no known workarounds for this issue.
References (3)
Core 3
Core References
Third Party Advisory
https://www.vicarius.io/vsociety/posts/analyzing-arbitrary-file-upload-in-dasherr-cve-2023-23607-23608
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/erohtar/Dasherr/security/advisories/GHSA-6rgc-2x44-7phq
Patch, Third Party Advisory x_refsource_misc
https://github.com/erohtar/Dasherr/commit/445325c7cf1148a8cd38af3a90789c6cbf6c5112
Scores
CVSS v3
9.8
EPSS
0.0161
EPSS Percentile
72.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (1)
dasherr_project/dasherr
< 1.05.00
Published
Jan 20, 2023
Tracked Since
Feb 18, 2026