إرسال #162545: Pydio v4.2.0 - Insecure Direct Object Referenceالمعلومات

عنوانPydio v4.2.0 - Insecure Direct Object Reference
الوصفWe identified an issue within Pydio cells v4.2.0, which allows us to subscribe/unsubscribe any user from "watching" changes, uploads, and deletion of a file. Using this, we were able to "unsubscribe" an admin user from watching a specific file, change the integrity of the file to contain "malicious" code, and then re-subscribe the admin. This weakness helped us circumvent detection whilst uploading, modifying, or deleting files in the Pydio instance. The vendor had been notified, finding had been acknowledged, and advisory to update to Pydio cells version 4.2.1 is released. https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421 Technical write-up of this vulnerability will be published once CVE is assigned.
المصدر⚠️ https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421
المستخدم
 ignatiusmichael (UID 28987)
ارسال30/05/2023 02:00 PM (3 سنوات منذ)
الاعتدال30/05/2023 03:32 PM (2 hours later)
الحالةتمت الموافقة
إدخال VulDB230210 [Abstrium Pydio Cells 4.2.0 Change Subscription تجاوز الصلاحيات]
النقاط20

Do you know our Splunk app?

Download it now for free!