Skip to main content

Cells CVE-2020-12852

MEDIUM
Improper Input Validation (CWE-20)
2020-06-04 cve@mitre.org
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 04, 2020 - 20:15 nvd
MEDIUM 6.8

DescriptionNVD

The update feature for Pydio Cells 2.0.4 allows an administrator user to set a custom update URL and the public RSA key used to validate the downloaded update package. The update process involves downloading the updated binary file from a URL indicated in the update server response, validating its checksum and signature with the provided public key and finally replacing the current application binary. To complete the update process, the application’s service or appliance needs to be restarted. An attacker with administrator access can leverage the software update feature to force the application to download a custom binary that will replace current Pydio Cells binary. When the server or service is eventually restarted the attacker will be able to execute code under the privileges of the user running the application. In the Pydio Cells enterprise appliance this is with the privileges of the user named “pydio”.

AnalysisAI

The update feature for Pydio Cells 2.0.4 allows an administrator user to set a custom update URL and the public RSA key used to validate the downloaded update package. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-20. The update feature for Pydio Cells 2.0.4 allows an administrator user to set a custom update URL and the public RSA key used to validate the downloaded update package. The update process involves downloading the updated binary file from a URL indicated in the update server response, validating its checksum and signature with the provided public key and finally replacing the current application binary. To complete the update process, the application’s service or appliance needs to be restarted. An attacker with administrator access can leverage the software update feature to force the application to download a custom binary that will replace current Pydio Cells binary. When the server or service is eventually restarted the attacker will be able to execute code under the privileges of the user running the application. In the Pydio Cells enterprise appliance this is with the privileges of the user named “pydio”. Affected products include: Pydio Cells.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Cells

View all
CVE-2023-32749 HIGH POC
8.8 Jun 08

Pydio Cells allows users by default to create so-called external users in order to share files with them. Rated high sev

CVE-2020-12851 HIGH POC
8.1 Jun 04

Pydio Cells 2.0.4 allows an authenticated user to write or overwrite existing files in another user’s personal and cells

CVE-2020-12847 HIGH POC
7.2 Jun 04

Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console” that is available to users with

CVE-2020-12850 HIGH POC
7.0 Jun 11

The following vulnerability applies only to the Pydio Cells Enterprise OVF version 2.0.4. Rated high severity (CVSS 7.0)

CVE-2023-32750 MEDIUM POC
6.5 Jun 08

Pydio Cells through 4.1.2 allows SSRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low

CVE-2020-12853 MEDIUM POC
6.1 Jun 04

Pydio Cells 2.0.4 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentic

CVE-2023-32751 MEDIUM POC
5.4 Jun 08

Pydio Cells through 4.1.2 allows XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low

CVE-2020-12849 MEDIUM POC
5.4 Jun 05

Pydio Cells 2.0.4 allows any user to upload a profile image to the web application, including standard and shared user r

CVE-2020-12848 MEDIUM POC
5.4 Jun 05

In Pydio Cells 2.0.4, once an authenticated user shares a file selecting the create a public link option, a hidden share

CVE-2019-12901 HIGH
8.8 Jun 20

Pydio Cells before 1.5.0 fails to neutralize '../' elements, allowing an attacker with minimum privilege to Upload files

CVE-2021-41324 MEDIUM
6.5 Sep 30

Directory traversal in the Copy, Move, and Delete features in Pydio Cells 2.2.9 allows remote authenticated users to enu

CVE-2021-41325 MEDIUM
6.5 Sep 30

Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via

Share

CVE-2020-12852 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy