提交 #162545: Pydio v4.2.0 - Insecure Direct Object Reference信息

标题Pydio v4.2.0 - Insecure Direct Object Reference
描述We identified an issue within Pydio cells v4.2.0, which allows us to subscribe/unsubscribe any user from "watching" changes, uploads, and deletion of a file. Using this, we were able to "unsubscribe" an admin user from watching a specific file, change the integrity of the file to contain "malicious" code, and then re-subscribe the admin. This weakness helped us circumvent detection whilst uploading, modifying, or deleting files in the Pydio instance. The vendor had been notified, finding had been acknowledged, and advisory to update to Pydio cells version 4.2.1 is released. https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421 Technical write-up of this vulnerability will be published once CVE is assigned.
来源⚠️ https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421
用户
 ignatiusmichael (UID 28987)
提交2023-05-30 14時00分 (3 年前)
管理2023-05-30 15時32分 (2 hours later)
状态已接受
VulDB条目230210 [Abstrium Pydio Cells 4.2.0 Change Subscription 权限提升]
积分20

Do you know our Splunk app?

Download it now for free!