CVE-2019-10047
Description
Pydio through 8.2.2 contains a stored XSS vulnerability allowing authenticated attackers to execute arbitrary JavaScript via malicious HTML file uploads and preview links.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pydio through 8.2.2 contains a stored XSS vulnerability allowing authenticated attackers to execute arbitrary JavaScript via malicious HTML file uploads and preview links.
Vulnerability
Description A stored cross-site scripting (XSS) vulnerability exists in Pydio versions through 8.2.2. The flaw resides in the file upload and file preview features. An authenticated attacker can upload an HTML file containing malicious JavaScript code. When another authenticated victim accesses a file preview URL for the uploaded file, the HTML is rendered and the JavaScript executes in the context of the victim's session [2].
Exploitation
Exploitation requires an authenticated attacker to upload a crafted HTML file and then share the file with a victim. The victim must be authenticated to the Pydio application and click on a preview link for the malicious file. No additional privileges are needed beyond basic user authentication [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, data theft, or performing actions on behalf of the victim within the Pydio application [2].
Mitigation
Pydio has not released an official patch statement, but users are advised to upgrade to a version beyond 8.2.2 (such as Pydio Cells) which likely addresses this issue. Until then, avoid clicking on preview links for HTML files from untrusted users.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pydioPyPI | <= 8.2.2 | — |
Affected products
2- Pydio/Pydiodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-5ghg-233h-7j79ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10047ghsaADVISORY
- packetstormsecurity.com/files/152292/Pydio-8-Command-Execution-Cross-Site-Scripting.htmlghsaWEB
- www.secureauth.com/labs/advisoriesmitrex_refsource_MISC
- www.secureauth.com/labs/advisories/pydio-8-multiple-vulnerabilitiesghsaWEB
News mentions
0No linked articles in our index yet.