إرسال #162544: Pydio cells v4.2.0 - Broken Access Control and Lack of input validation/sanitizationالمعلومات

عنوانPydio cells v4.2.0 - Broken Access Control and Lack of input validation/sanitization
الوصفWe identified in Pydio cells v4.2.0 that as a non-admin user, we were able to bypass its current control, which result in the ability of a standard user to create a group within an organization instance (admin role's capability only). When creating a new user as admin (or non-admin user: refer to previously submitted CVE), we can change the naming convention of the username from "user1" to "new/group/user1", which resulted in the creation of: user "user1", group "new", and group "group" in the admin console. The vendor had been notified, finding had been acknowledged, and advisory to update to Pydio cells version 4.2.1 is released. https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421 Technical write-up of this vulnerability will be published once CVE is assigned.
المصدر⚠️ https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421
المستخدم
 ignatiusmichael (UID 28987)
ارسال30/05/2023 01:58 PM (3 سنوات منذ)
الاعتدال30/05/2023 03:32 PM (2 hours later)
الحالةتمت الموافقة
إدخال VulDB230211 [Abstrium Pydio Cells 4.2.0 User Creation تجاوز الصلاحيات]
النقاط20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!