CVE-2025-6453
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-22

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability classified as critical has been found in diyhi bbs 6.8. Affected is the function Add of the file /src/main/java/cms/web/action/template/ForumManageAction.java of the component API. The manipulation of the argument dirName leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-22
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-06-22
EPSS Evaluated
2026-05-05
NVD
CVE-2025-6453
EUVD
EUVD-2025-18832
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
diyhi bbs 6.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-6453 is a critical path traversal vulnerability in diyhi bbs version 6.8. It occurs in the Add function of the ForumManageAction.java file, where the dirName parameter is not properly validated. This allows an attacker to manipulate dirName to traverse directories outside the intended storage path, enabling unauthorized file uploads and creation of lockFiles in arbitrary server directories. The vulnerability can be exploited remotely without authentication, and a proof-of-concept exploit is publicly available. [1, 2]


How can this vulnerability impact me? :

This vulnerability can impact you by compromising the confidentiality, integrity, and availability of your system. An attacker can upload files and create lockFiles in unauthorized directories on the server, potentially leading to unauthorized file writes and further exploitation. Since the attack can be launched remotely without authentication, it poses a significant security risk. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection can focus on monitoring requests to the vulnerable API endpoint `/control/forum/manage?method=add` for suspicious manipulation of the `dirName` parameter that attempts directory traversal patterns (e.g., '../'). Network or web server logs can be searched for such patterns. For example, using grep on server logs: `grep "dirName=.." /var/log/apache2/access.log` or similar. Additionally, inspecting HTTP requests for unusual file upload paths or lockFile creations outside expected directories can help detect exploitation attempts. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting or disabling access to the vulnerable API endpoint `/control/forum/manage?method=add` until a patch or fix is available. Since no known countermeasures or mitigations have been identified, it is recommended to replace the affected diyhi bbs version 6.8 with an alternative product or updated version that addresses the vulnerability. Additionally, monitoring for exploitation attempts and applying network-level protections such as web application firewalls to block suspicious directory traversal payloads can help reduce risk. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart