CVE-2021-41325

Description

Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via the profile parameter. (In addition, such users can be granted several admin permissions via the Roles parameter.)

Related CPE's

apydiocells2.2.9***-***

apydiocells2.2.9***enterprise***

References

https://github.com/pydio/cells/releases/tag/v2.2.12

Release NotesThird Party Advisory

https://pydio.com/fr/community/releases/pydio-cells/pydio-cells-enterprise-2212

ProductVendor Advisory

https://charonv.net/Pydio-Broken-Access-Control/

Third Party Advisory

CvssV3 impact

BaseSeverity

MEDIUM

ConfidentialityImpact

NONE

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

NONE

IntegrityImpact

HIGH

PrivilegesRequired

LOW

BaseScore

6.5

VectorString

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

NONE

AvailabilityImpact

NONE

IntegrityImpact

PARTIAL

BaseScore

4

VectorString

AV:N/AC:L/Au:S/C:N/I:P/A:N

Version

2.0

AccessVector

NETWORK

Authentication

SINGLE

Created by Yello
About Severity.io