Vulnerability Details : CVE-2020-12847
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console” that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the application’s mailer configuration. It is possible to configure a few engines to be used by the mailer application to send emails. If the user selects the “sendmail” option as the default one, the web application offers to edit the full path where the sendmail binary is hosted. Since there is no restriction in place while editing this value, an attacker authenticated as an administrator user could force the web application into executing any arbitrary binary.
Products affected by CVE-2020-12847
- cpe:2.3:a:pydio:cells:2.0.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-12847
0.43%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-12847
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
References for CVE-2020-12847
-
http://packetstormsecurity.com/files/158002/Pydio-Cells-2.0.4-XSS-File-Write-Code-Execution.html
Pydio Cells 2.0.4 XSS / File Write / Code Execution ≈ Packet StormThird Party Advisory
-
https://www.coresecurity.com/core-labs/advisories/pydio-cells-204-multiple-vulnerabilities
Pydio Cells 2.0.4 Multiple Vulnerabilities | CoreLabs AdvisoriesExploit;Third Party Advisory
-
https://www.coresecurity.com/advisories
Advisories | Core SecurityThird Party Advisory
Jump to