CVE-2023-32751

Pydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript [1]. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it is possible to generate valid signatures for arbitrary download URLs. By uploading an HTML file and modifying the download URL to serve the file inline instead of as an attachment, any included JavaScript code is executed when the URL is opened in a browser, leading to a cross-site scripting vulnerability.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.redteam-pentesting.de/advisories/rt-sa-2023-004/	Exploit Third Party Advisory
https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pydio:cells::::::::
	cpe:2.3:a:pydio:cells::::::::

History

16 Jun 2023, 15:52

Type	Values Removed	Values Added
References	~~(MISC) https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses -~~	(MISC) https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses - Third Party Advisory
References	~~(MISC) https://www.redteam-pentesting.de/advisories/rt-sa-2023-004/ -~~	(MISC) https://www.redteam-pentesting.de/advisories/rt-sa-2023-004/ - Exploit, Third Party Advisory
CPE		cpe:2.3:a:pydio:cells::::::::
First Time		Pydio cells Pydio
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
CWE		CWE-79

08 Jun 2023, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-06-08 21:15

Updated : 2023-12-10 15:01

NVD link : CVE-2023-32751

Mitre link : CVE-2023-32751

CVE.ORG link : CVE-2023-32751

JSON object : View

Products Affected

pydio

cells

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-32751", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2023-06-08T21:15:17.427", "references": [{"url": "https://www.redteam-pentesting.de/advisories/rt-sa-2023-004/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Pydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript [1]. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it is possible to generate valid signatures for arbitrary download URLs. By uploading an HTML file and modifying the download URL to serve the file inline instead of as an attachment, any included JavaScript code is executed when the URL is opened in a browser, leading to a cross-site scripting vulnerability."}, {"lang": "es", "value": "Pydio Cells en la versi\u00f3n 4.1.2 permite ataques de Cross-Site Scripting (XSS). Pydio Cells implementa la descarga de archivos utilizando URLs prefirmadas que se generan utilizando el SDK de Amazon AWS para JavaScript. Los secretos utilizados para firmar estas URLs est\u00e1n codificados y expuestos a trav\u00e9s de los archivos JavaScript de la aplicaci\u00f3n web. Por lo tanto, es posible generar firmas v\u00e1lidas para URLs de descarga arbitrarias. Al cargar un archivo HTML y modificar la URL de descarga para servir el archivo en l\u00ednea en lugar de como un archivo adjunto, cualquier c\u00f3digo JavaScript incluido se ejecuta cuando la URL se abre en un navegador, lo que conduce a una vulnerabilidad de Cross-Site Scripting. "}], "lastModified": "2023-06-16T15:52:52.467", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pydio:cells:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC5DD7AD-4965-45AF-96FF-DD160981D87F", "versionEndExcluding": "3.0.12"}, {"criteria": "cpe:2.3:a:pydio:cells:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5644B716-3AA9-4591-A7B1-9356183B93FD", "versionEndExcluding": "4.1.3", "versionStartIncluding": "4.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}