github.com/pydio/cells is vulnerable to Privilege Escalation. The creation of external users for file sharing is possible with Pydio Cells. It is possible to give a new user arbitrary roles with access to all cells and non-personal workspaces by altering the HTTP request that is submitted when creating an external user, allowing attackers to acquire elevated privileges.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/pydio/cells | le | v4.1.2 | |
github.com/pydio/cells | le | v4.1.2 |
packetstormsecurity.com/files/172645/Pydio-Cells-4.1.2-Privilege-Escalation.html
seclists.org/fulldisclosure/2023/May/18
github.com/advisories/GHSA-rm22-vh4p-35m7
github.com/pydio/cells/commit/259fbfdd1c909d32ae2dc366163bc027b6722b90
www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses
www.redteam-pentesting.de/en/advisories/rt-sa-2023-003/-pydio-cells-unauthorised-role-assignments