提出 #162545: Pydio v4.2.0 - Insecure Direct Object Reference情報

タイトルPydio v4.2.0 - Insecure Direct Object Reference
説明We identified an issue within Pydio cells v4.2.0, which allows us to subscribe/unsubscribe any user from "watching" changes, uploads, and deletion of a file. Using this, we were able to "unsubscribe" an admin user from watching a specific file, change the integrity of the file to contain "malicious" code, and then re-subscribe the admin. This weakness helped us circumvent detection whilst uploading, modifying, or deleting files in the Pydio instance. The vendor had been notified, finding had been acknowledged, and advisory to update to Pydio cells version 4.2.1 is released. https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421 Technical write-up of this vulnerability will be published once CVE is assigned.
ソース⚠️ https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421
ユーザー
 ignatiusmichael (UID 28987)
送信2023年05月30日 14:00 (3 年 ago)
モデレーション2023年05月30日 15:32 (2 hours later)
ステータス承諾済み
VulDBエントリ230210 [Abstrium Pydio Cells 4.2.0 Change Subscription 特権昇格]
ポイント20

Might our Artificial Intelligence support you?

Check our Alexa App!