PT-2021-23278 · Pydio · Pydio Cells

Robin Descamps

Published

2021-09-30

Updated

2021-10-07

CVE-2021-41324

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Pydio Cells version 2.2.9

Description The issue allows remote authenticated users to enumerate personal files or Cells files belonging to any user. This is achieved through directory traversal in the Copy, Move, and Delete features. The nodes parameter is used for Copy and Move, while the Path parameter is used for Delete.

Recommendations For Pydio Cells version 2.2.9, consider disabling the Copy, Move, and Delete features until a patch is available to prevent exploitation. Restrict access to the nodes and Path parameters in the affected features to minimize the risk of file enumeration.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-41324

Affected Products

Pydio Cells

PT-2021-23278 · Pydio · Pydio Cells

CVE-2021-41324

Weakness Enumeration

Related Identifiers

Affected Products

References · 6