Robin Descamps

**Name of the Vulnerable Software and Affected Versions** Pydio Cells version 2.2.9 **Description** The issue allows remote authenticated users to overwrite personal files or Cells files belonging to any user via the `format` parameter in the Compress feature. **Recommendations** For Pydio Cells version 2.2.9, consider restricting access to the Compress feature until a patch is available. As a temporary workaround, avoid using the `format` parameter in the Compress feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Pydio Cells version 2.2.9 **Description** The issue allows remote authenticated users to enumerate personal files or Cells files belonging to any user. This is achieved through directory traversal in the Copy, Move, and Delete features. The `nodes` parameter is used for Copy and Move, while the `Path` parameter is used for Delete. **Recommendations** For Pydio Cells version 2.2.9, consider disabling the Copy, Move, and Delete features until a patch is available to prevent exploitation. Restrict access to the `nodes` and `Path` parameters in the affected features to minimize the risk of file enumeration.

**Name of the Vulnerable Software and Affected Versions** Pydio Cells version 2.2.9 **Description** The issue concerns broken access control for user creation, allowing remote anonymous users to create standard users via the `profile` parameter. Additionally, such users can be granted several admin permissions via the `Roles` parameter. **Recommendations** For Pydio Cells version 2.2.9, consider disabling the user creation feature until a patch is available to prevent exploitation. Restrict access to the `profile` and `Roles` parameters to minimize the risk of unauthorized user creation and permission granting. At the moment, there is no information about a newer version that contains a fix for this vulnerability.