CVE-2019-12901: Multiple Vulnerabilities in Pydio Cells [1.4.1]

Multiple Vulnerabilities in Pydio Cells [1.4.1]

20 June , 2019

Product Details

Pydio Cells is a transition application for managing your files on a Pydio Cells 1.2.X server (both Home and Enterprise editions), until main applications Pydio and Pydio Pro are ready for Cells servers.


Vulnerability Details

During our research we discovered few severe security vulnerabilities in Pydio cells, affecting the complete CIA triad.

List of Vulnerabilities:

❏ Path/Directory Traversal
❏ Data retrieval after deletion of user
❏ Database Table/column enumeration

Vulnerable Versions




[1] Vulnerability – Path/Directory Traversal


Vulnerability Description

An attacker by utilizing`../` elements is able to traverse back to the
other writable directories & perform unprivileged actions.

An attacker with minimum privilege, is able to Upload files to & Delete files/folders from an unprivileged directory, compromising the Integrity of the application.


[2] Vulnerability – Data retrieval after deletion of user


Vulnerability Description

A new user, holding the same `User ID` of a deleted user, would be able to restore the deleted users data.

An attacker would be able to retrieve unauthorized data.


[3] Vulnerability – Database Table/column name enumeration


Vulnerability Description

– Upon saving the Users `Name` field (My Account), as a non-utf8 character (4 bytes character), the application throws an error, as it expects an utf8 character which is of 3 bytes. As part of the error, it exposes few sensitive information such as database table, column name.

An attacker can enumerate sensitive information such a database table & column names



Vendor Disclosure: 2019-4-5
Public Disclosure: 2019-6-20


Discovered by ACE Team – Loginsoft