Arbitrary Binary Execution Vulnerability in Pydio Cells Web Application
CVE-2020-12847

7.2HIGH

Key Information:

Vendor

Pydio

Status
Cells
Vendor
CVE Published:
4 June 2020

What is CVE-2020-12847?

Pydio Cells version 2.0.4 contains a security issue within its administrative console known as 'Cells Console.' This feature allows users with administrator access to modify application settings, including email configuration. Specifically, when the 'sendmail' option is selected as the mailer, administrators can specify the path to the sendmail binary. However, the application lacks sufficient restrictions on this input, enabling an authenticated attacker with admin privileges to change this path to execute any arbitrary binary. This flaw poses a significant risk as it can lead to unauthorized command execution within the web application.

References

https://www.coresecurity.com/advisories
x_refsource_MISC
https://www.coresecurity.com/core-labs/advisories/pydio-c...
x_refsource_MISC
http://packetstormsecurity.com/files/158002/Pydio-Cells-2...
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.