Description
Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via the profile parameter. (In addition, such users can be granted several admin permissions via the Roles parameter.)
Related CPE's
a
pydio
cells
2
References
https://charonv.net/Pydio-Broken-Access-Control/
Third Party Advisory
https://github.com/pydio/cells/releases/tag/v2.2.12
Release NotesThird Party Advisory
https://pydio.com/fr/community/releases/pydio-cells/pydio-cells-enterprise-2212
ProductVendor Advisory
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 · Medium
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Analyzed
Published
2021-09-30T19:15:07.513
3 years agoLast modified
2022-07-12T17:42:04.277
3 years ago