CVE-2020-12847

Name of the Vulnerable Software and Affected Versions Pydio Cells version 2.0.4

Description The Pydio Cells web application has an administrative console named "Cells Console" that allows users with an administrator role to change settings, including the application's mailer configuration. When the "sendmail" option is selected, the user can edit the full path to the sendmail binary. Since there is no restriction on editing this value, an authenticated administrator user could force the web application to execute any arbitrary binary. This could potentially lead to exploitation by an attacker with administrator privileges.

Recommendations For Pydio Cells version 2.0.4, as a temporary workaround, consider restricting access to the mailer configuration settings in the Cells Console to minimize the risk of exploitation. Avoid using the "sendmail" option until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.