{"id":"CVE-2023-23607","summary":"Unrestricted file upload leads to Remote Code Execution in erohtar/Dasherr","details":"erohtar/Dasherr is a dashboard for self-hosted services. In affected versions unrestricted file upload allows any unauthenticated user to execute arbitrary code on the server. The file /www/include/filesave.php allows for any file to uploaded to anywhere. If an attacker uploads a php file they can execute code on the server. This issue has been addressed in version 1.05.00. Users are advised to upgrade. There are no known workarounds for this issue.\n","aliases":["GHSA-6rgc-2x44-7phq"],"modified":"2026-04-02T08:49:15.852653Z","published":"2023-01-20T20:03:45.071Z","database_specific":{"cwe_ids":["CWE-434"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/23xxx/CVE-2023-23607.json"},"references":[{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/analyzing-arbitrary-file-upload-in-dasherr-cve-2023-23607-23608"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/23xxx/CVE-2023-23607.json"},{"type":"ADVISORY","url":"https://github.com/erohtar/Dasherr/security/advisories/GHSA-6rgc-2x44-7phq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23607"},{"type":"FIX","url":"https://github.com/erohtar/Dasherr/commit/445325c7cf1148a8cd38af3a90789c6cbf6c5112"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/erohtar/dasherr","events":[{"introduced":"0"},{"fixed":"445325c7cf1148a8cd38af3a90789c6cbf6c5112"}]}],"versions":["v1.0.0","v1.00.00","v1.01.00","v1.01.01","v1.01.02","v1.02.00","v1.03.00","v1.03.01","v1.04.00","v1.04.01","v1.04.02","v1.1.0","v1.1.1","v1.1.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23607.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}