| عنوان | HTML Injection |
|---|
| الوصف | We (DeepCove Cybersecurity) found that the chat function within Pydio version 4.2.0 is not supposed to accept HTML tags, and only markdown by design. However with a carefully crafted HTTPS request, as a proof of concept, we were able to inject HTML code that renders an image within the chat function, that leads to a "malicious" domain when clicked by the user. This affected all users within the same Pydio cells.
The vendor had been notified, finding had been acknowledged, and advisory to update to Pydio cells version 4.2.1 is released. https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421
Technical write-up of this vulnerability will be published once CVE is assigned. |
|---|
| المصدر | ⚠️ https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421 |
|---|
| المستخدم | ignatiusmichael (UID 28987) |
|---|
| ارسال | 30/05/2023 01:52 PM (3 سنوات منذ) |
|---|
| الاعتدال | 30/05/2023 03:32 PM (2 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 230213 [Abstrium Pydio Cells 4.2.0 Chat البرمجة عبر المواقع] |
|---|
| النقاط | 16 |
|---|