Filtered by vendor Pydio
Subscribe
Total
35 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10049 | 1 Pydio | 1 Pydio | 2023-12-10 | 4.9 MEDIUM | 7.3 HIGH |
| It is possible for an attacker with regular user access to the web application of Pydio through 8.2.2 to trick an administrator user into opening a link shared through the application, that in turn opens a shared file that contains JavaScript code (that is executed in the context of the victim user to obtain sensitive information such as session identifiers and perform actions on behalf of him/her). | |||||
| CVE-2019-12903 | 1 Pydio | 1 Cells | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Pydio Cells before 1.5.0, when supplied with a Name field in an unexpected Unicode format, fails to handle this and includes the database column/table name as pert of the error message, exposing sensitive information. | |||||
| CVE-2019-15033 | 1 Pydio | 1 Pydio | 2023-12-10 | 4.0 MEDIUM | 7.7 HIGH |
| Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring. | |||||
| CVE-2019-10046 | 1 Pydio | 1 Pydio | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| An unauthenticated attacker can obtain information about the Pydio 8.2.2 configuration including session timeout, libraries, and license information. | |||||
| CVE-2019-10048 | 1 Pydio | 1 Pydio | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
| The ImageMagick plugin that is installed by default in Pydio through 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin's configuration options, allowing arbitrary shell commands to be entered that result in command execution on the underlying operating system, with the privileges of the local user running the web server. The attacker must be authenticated into the application with an administrator user account in order to be able to edit the affected plugin configuration. | |||||
| CVE-2019-12901 | 1 Pydio | 1 Cells | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| Pydio Cells before 1.5.0 fails to neutralize '../' elements, allowing an attacker with minimum privilege to Upload files to, and Delete files/folders from, an unprivileged directory, leading to Privilege escalation. | |||||
| CVE-2019-15032 | 1 Pydio | 1 Pydio | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information. | |||||
| CVE-2019-12902 | 1 Pydio | 1 Cells | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| Pydio Cells before 1.5.0 does incomplete cleanup of a user's data upon deletion. This allows a new user, holding the same User ID as a deleted user, to restore the deleted user's data. | |||||
| CVE-2018-1999017 | 1 Pydio | 1 Pydio | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
| Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability in plugins/action.updater/UpgradeManager.php Line: 154, getUpgradePath($url) that can result in an authenticated admin users requesting arbitrary URL's, pivoting requests through the server. This attack appears to be exploitable via the attacker gaining access to an administrative account, enters a URL into Upgrade Engine, and reloads the page or presses "Check Now". This vulnerability appears to have been fixed in 8.2.1. | |||||
| CVE-2018-1999016 | 1 Pydio | 1 Pydio | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48; ./core/vendor/dapphp/securimage/examples/test.mysql.static.php lines: 114,118 that can result in an unauthenticated remote attacker manipulating the web client via XSS code injection. This attack appear to be exploitable via the victim openning a specially crafted URL. This vulnerability appears to have been fixed in version 8.2.1. | |||||
| CVE-2018-20718 | 1 Pydio | 1 Pydio | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link. | |||||
| CVE-2018-1999018 | 1 Pydio | 1 Pydio | 2023-12-10 | 8.5 HIGH | 6.6 MEDIUM |
| Pydio version 8.2.1 and prior contains an Unvalidated user input leading to Remote Code Execution (RCE) vulnerability in plugins/action.antivirus/AntivirusScanner.php: Line 124, scanNow($nodeObject) that can result in An attacker gaining admin access and can then execute arbitrary commands on the underlying OS. This attack appear to be exploitable via The attacker edits the Antivirus Command in the antivirus plugin, and executes the payload by uploading any file within Pydio. | |||||
| CVE-2018-14772 | 1 Pydio | 1 Pydio | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
| Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution vulnerability in which an attacker with administrator access to the web application can execute arbitrary code on the underlying system via Command Injection. | |||||
| CVE-2015-3432 | 1 Pydio | 1 Pydio | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Pydio (formerly AjaXplorer) before 6.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Pydio XSS Vulnerabilities." | |||||
| CVE-2015-3431 | 1 Pydio | 1 Pydio | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| Pydio (formerly AjaXplorer) before 6.0.7 allows remote attackers to execute arbitrary commands via unspecified vectors, aka "Pydio OS Command Injection Vulnerabilities." | |||||