CVE-2023-32751

Name of the Vulnerable Software and Affected Versions Pydio Cells versions 4.1.2 and earlier

Description The issue allows for cross-site scripting (XSS) due to the exposure of secrets used to sign presigned URLs for file downloads. These secrets are hardcoded and accessible through the web application's JavaScript files, enabling the generation of valid signatures for arbitrary download URLs. By uploading an HTML file and modifying the download URL to serve the file inline, any included JavaScript code can be executed when the URL is opened in a browser.

Recommendations For Pydio Cells versions 4.1.2 and earlier, as a temporary workaround, consider restricting access to the download functionality until a patch is available. Avoid using the presigned URL feature for sensitive files, and restrict the upload of HTML files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.