Vulnerability Description
Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pydio | Cells | < 3.0.12 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/172645/Pydio-Cells-4.1.2-Privilege-EscalatiExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2023/May/18ExploitMailing ListThird Party Advisory
- https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerabiThird Party Advisory
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-003/-pydio-cells-unauExploitThird Party Advisory
- http://packetstormsecurity.com/files/172645/Pydio-Cells-4.1.2-Privilege-EscalatiExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2023/May/18ExploitMailing ListThird Party Advisory
- https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerabiThird Party Advisory
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-003/-pydio-cells-unauExploitThird Party Advisory
FAQ
What is CVE-2023-32749?
CVE-2023-32749 is a vulnerability with a CVSS score of 8.8 (HIGH). Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assi...
How severe is CVE-2023-32749?
CVE-2023-32749 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-32749?
Check the references section above for vendor advisories and patch information. Affected products include: Pydio Cells.