Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

Multiple CVEs affecting Pydio Cells 4.2.0

popalltheshells
InfoSec Write-ups
Published in
3 min readMay 30, 2023

--

Greetings hackers; just quickly wanted to share an advisory write-up that my team discovered in Pydio Cells 4.2.0. These have been disclosed and we have been in very close communication with the vendor. We at DeepCove Cybersecurity (DCC) pride ourselves in providing a well-rounder and white-gloves approach to our security services; that the tools we use and recommend to our customers have undergone an extensive penetration test assessment to ensure its security.

Thanks to the rest of the team at DCC, with their help, our security researchers were able to identify a few zero days within the Pydio Cells service.

Timeline (2023):

May 10 — bugs discovered

May 11 — bugs reported and acknowledged

May 18 — hotfix is created by pydio and re-tested

May 22 — new patch is released by Pydio 4.2.1
(https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421)

May 30 — CVEs Assigned

WA1. Broken access control: Creating new users as a regular user [CVE-2023–2979]

When creating a shared user as a standard user, a parameter called “profile” is submitted with the HTTPS request. I identified that there was no access control in place. Knowing my current user role “standard”, we can change this parameter value from “shared” to “standard” — which resulted in the creation of a new standard user. Malicious user may create an arbitrary account within the pydio instance to maintain persistence in the organization. They may also be able to leverage this as data exfiltration strategy.

PoC:

  1. Navigate to a folder/file/cell and click the person icon on the top right of the page
  2. Create a new shared user and click “submit” while capturing the request with Burp
  3. Change the “profile” attribute from “shared” to “standard” and login as a the new user to validate.

WA2. HTML Injection on chat function [CVE-2023–2981]

The application by design is not supposed to render HTML tags, and sanitizes some characters; however, embedding a combination of both <a and <img allows users to render HTML codes within the chat function. This can lead to the ability for users to post malicious…

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 15 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
popalltheshells
popalltheshells
Follow

Written by popalltheshells

466 Followers
6 Following

Unauthorized

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech