CVE-2021-41323: 
NixOS vulnerability analysis and mitigation

Directory traversal vulnerability in the Compress feature in Pydio Cells 2.2.9 allows remote authenticated users to overwrite personal files, or Cells files belonging to any user, via the format parameter (NVD, Pydio Advisory). The vulnerability was discovered by security researcher Robin Descamps from NTT Belgium.

The vulnerability exists in the Compress feature when right-clicking on a file. By tampering with the 'format' parameter in the corresponding web request, an attacker can inject a path value to write archive files in other users' personal folders or in Cells that the user has no access to. The vulnerability has a CVSS v3.1 Base Score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) (NVD, CharonV).

Successful exploitation allows attackers to upload archives containing malicious files or replace sensitive files with attacker's content in any Cell or personal folder to trick or mislead targeted users. Additionally, attackers can brute-force filenames to overwrite and erase content of files in all Cells and personal folders (CharonV).

Users should upgrade to Pydio Cells version 2.2.12 or above which contains fixes for this vulnerability. The upgrade can be performed using the in-app dashboard in Cells Console > Software Updates, or by replacing the binary and restarting the service (Pydio Release).