CVE-2023-32749

Exploit

EPSS 44.01%
Veröffentlicht 08.06.2023 20:15:09
Zuletzt bearbeitet 06.01.2025 21:15:10
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pydio ≫ Cells Version < 3.0.12

Pydio ≫ Cells Version >= 4.1.0 < 4.1.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	44.01%	0.974

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses

Third Party Advisory

http://packetstormsecurity.com/files/172645/Pydio-Cells-4.1.2-Privilege-Escalation.html

Third Party Advisory

Exploit

VDB Entry

http://seclists.org/fulldisclosure/2023/May/18

Third Party Advisory

Exploit

Mailing List

https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-003/-pydio-cells-unauthorised-role-assignments

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-32749

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32749

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32749

EUVD