Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-32749

Published: 08/06/2023 Updated: 15/06/2023
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 0
Subscribe to Cells

Vulnerability Summary

Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

pydio cells

Exploits

Exploit DB: Pydio Cells 4.1.2 Privilege Escalation
Pydio Cells versions 412 and below suffer from a privilege escalation vulnerability It allows users, by default, to create so-called external users in order to share files with them By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles By assigning all roles to a newly cre ...

Github Repositories

https://github.com/xcr-19/CVE-2023-32749

PoC for CVE-2023-32749 This is a quick and dirty PoC I wrote for CVE-2023-32749 for Pydio Cells The scripts creates a new user account with the all the roles available when provided with a valid credential All credits goes to the original researchers Installation The only requirements is the requests package from python to make the web requests If it is not installed on you

References

CWE-863https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyseshttp://packetstormsecurity.com/files/172645/Pydio-Cells-4.1.2-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2023/May/18https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-003/-pydio-cells-unauthorised-role-assignmentshttps://nvd.nist.govhttps://github.com/xcr-19/CVE-2023-32749https://packetstormsecurity.com/files/172645/Pydio-Cells-4.1.2-Privilege-Escalation.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-26925CVE-2023-41826LFICVE-2022-22364CVE-2024-2887command injectionremote code executionCVE-2024-34446CVE-2022-48699
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook