제출 #162545: Pydio v4.2.0 - Insecure Direct Object Reference정보

제목Pydio v4.2.0 - Insecure Direct Object Reference
설명We identified an issue within Pydio cells v4.2.0, which allows us to subscribe/unsubscribe any user from "watching" changes, uploads, and deletion of a file. Using this, we were able to "unsubscribe" an admin user from watching a specific file, change the integrity of the file to contain "malicious" code, and then re-subscribe the admin. This weakness helped us circumvent detection whilst uploading, modifying, or deleting files in the Pydio instance. The vendor had been notified, finding had been acknowledged, and advisory to update to Pydio cells version 4.2.1 is released. https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421 Technical write-up of this vulnerability will be published once CVE is assigned.
원천⚠️ https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421
사용자
 ignatiusmichael (UID 28987)
제출2023. 05. 30. PM 02:00 (3 연령 ago)
모더레이션2023. 05. 30. PM 03:32 (2 hours later)
상태수락
VulDB 항목230210 [Abstrium Pydio Cells 4.2.0 Change Subscription 권한 상승]
포인트들20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!