CVE-2023-32749

Exploit

EPSS 44.01%
Published 08.06.2023 20:15:09
Last modified 06.01.2025 21:15:10
Source cve@mitre.org
Teams watchlist Login
Open Login

Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Pydio ≫ Cells Version < 3.0.12

Pydio ≫ Cells Version >= 4.1.0 < 4.1.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	44.01%	0.974

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses

Third Party Advisory

http://packetstormsecurity.com/files/172645/Pydio-Cells-4.1.2-Privilege-Escalation.html

Third Party Advisory

Exploit

VDB Entry

http://seclists.org/fulldisclosure/2023/May/18

Third Party Advisory

Exploit

Mailing List

https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-003/-pydio-cells-unauthorised-role-assignments

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-32749

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32749

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32749

EUVD