CVE-2020-12848

Name of the Vulnerable Software and Affected Versions Pydio Cells version 2.0.4

Description In Pydio Cells, when an authenticated user shares a file and selects the option to create a public link, a hidden shared user account is created in the backend with a random username. If an anonymous user obtains a valid public link, they can retrieve the associated hidden account username and password, allowing them to log in to the web application. Once logged in with the hidden user account, they can perform actions that were not available through the public share link.

Recommendations For Pydio Cells version 2.0.4, consider disabling the public link sharing feature until a patch is available to prevent the creation of hidden shared user accounts. Restrict access to sensitive actions within the web application to minimize the risk of exploitation by anonymous users who may have obtained a valid public link.