CVE-2023-32749

Sažetak

Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted.

Reference

http://packetstormsecurity.com/files/172645/Pydio-Cells-4.1.2-Privilege-Escalation.html
http://seclists.org/fulldisclosure/2023/May/18
https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses
https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-003/-pydio-cells-unauthorised-role-assignments
http://packetstormsecurity.com/files/172645/Pydio-Cells-4.1.2-Privilege-Escalation.html
http://seclists.org/fulldisclosure/2023/May/18
https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses
https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-003/-pydio-cells-unauthorised-role-assignments

CVSS

Base:	8.8
Impact:	5.9
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

06-01-2025 - 21:15

Objavljeno

08-06-2023 - 20:15