CVE-2023-32749
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/06/2023
Last modified:
06/01/2025
Description
Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:pydio:cells:*:*:*:*:*:*:*:* | 3.0.12 (excluding) | |
| cpe:2.3:a:pydio:cells:*:*:*:*:*:*:*:* | 4.1.0 (including) | 4.1.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/172645/Pydio-Cells-4.1.2-Privilege-Escalation.html
- http://seclists.org/fulldisclosure/2023/May/18
- https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-003/-pydio-cells-unauthorised-role-assignments
- http://packetstormsecurity.com/files/172645/Pydio-Cells-4.1.2-Privilege-Escalation.html
- http://seclists.org/fulldisclosure/2023/May/18
- https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-003/-pydio-cells-unauthorised-role-assignments