Primary

Context

diyhi BBS Path Traversal Vulnerability in API Forum Management Action

Vulnerability

A critical path traversal vulnerability has been identified in diyhi BBS version 6.8. The issue arises in the API component, specifically within the ForumManageAction.java file. The vulnerability is triggered by manipulating the dirName parameter in the Add function, allowing for arbitrary file path traversal. This flaw can be exploited remotely, with a public proof-of-concept available.

Impact

Exploitation of this vulnerability allows for path traversal, enabling attackers to access files and directories outside the intended directory structure. This could lead to unauthorized file disclosure or manipulation.

Reproduction

To reproduce this vulnerability, send a request to the /control/forum/manage?method=add endpoint with an unvalidated dirName parameter. The lack of proper validation allows for the traversal of directories, potentially accessing sensitive files or directories on the server.

Added: Jun 22, 2025, 3:31 AM

Updated: Jun 22, 2025, 3:31 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

diyhi BBS Path Traversal Vulnerability in API Forum Management Action

Vulnerability

Impact

Reproduction

Affected Products

diyhi bbs

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating