CVE-2021-41324 Information

Description

Directory traversal in the Copy Move and Delete features in Pydio Cells 2.2.9 allows remote authenticated users to enumerate personal files (or Cells files belonging to any user) via the nodes parameter (for Copy and Move) or via the Path parameter (for Delete).

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/pydio/cells/releases/tag/v2.2.12 https://pydio.com/fr/community/releases/pydio-cells/pydio-cells-enterprise-2212 https://charonv.net/Pydio-Broken-Access-Control/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

6.5