Pydio
by Pydio
Source repositories
CVEs (31)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-20453 | 0.00 | — | 0.02 | Mar 17, 2020 | A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution. | |||
| CVE-2019-20452 | 0.00 | — | 0.02 | Mar 17, 2020 | A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/core.access/src/RecycleBinManager.php. An authenticated user with basic privileges can inject objects and achieve remote code execution. | |||
| CVE-2019-15033 | 0.00 | — | 0.01 | Sep 19, 2019 | Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring. | |||
| CVE-2019-12903 | 0.00 | — | 0.01 | Jun 19, 2019 | Pydio Cells before 1.5.0, when supplied with a Name field in an unexpected Unicode format, fails to handle this and includes the database column/table name as pert of the error message, exposing sensitive information. | |||
| CVE-2019-12902 | 0.00 | — | 0.01 | Jun 19, 2019 | Pydio Cells before 1.5.0 does incomplete cleanup of a user's data upon deletion. This allows a new user, holding the same User ID as a deleted user, to restore the deleted user's data. | |||
| CVE-2019-12901 | 0.00 | — | 0.02 | Jun 19, 2019 | Pydio Cells before 1.5.0 fails to neutralize '../' elements, allowing an attacker with minimum privilege to Upload files to, and Delete files/folders from, an unprivileged directory, leading to Privilege escalation. | |||
| CVE-2019-10049 | 0.00 | — | 0.01 | May 31, 2019 | It is possible for an attacker with regular user access to the web application of Pydio through 8.2.2 to trick an administrator user into opening a link shared through the application, that in turn opens a shared file that contains JavaScript code (that is executed in the… | |||
| CVE-2019-10048 | 0.00 | — | 0.03 | May 31, 2019 | The ImageMagick plugin that is installed by default in Pydio through 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin's configuration options, allowing arbitrary shell commands to be entered that result in command execution… | |||
| CVE-2019-10046 | 0.00 | — | 0.01 | May 31, 2019 | An unauthenticated attacker can obtain information about the Pydio 8.2.2 configuration including session timeout, libraries, and license information. | |||
| CVE-2019-10045 | 0.00 | — | 0.01 | May 31, 2019 | The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of… | |||
| CVE-2013-6226 | 0.00 | — | 0.02 | Nov 14, 2013 | Directory traversal vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to read or delete arbitrary files via unspecified vectors. |
- CVE-2019-20453Mar 17, 2020risk 0.00cvss —epss 0.02
A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution.
- CVE-2019-20452Mar 17, 2020risk 0.00cvss —epss 0.02
A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/core.access/src/RecycleBinManager.php. An authenticated user with basic privileges can inject objects and achieve remote code execution.
- CVE-2019-15033Sep 19, 2019risk 0.00cvss —epss 0.01
Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.
- CVE-2019-12903Jun 19, 2019risk 0.00cvss —epss 0.01
Pydio Cells before 1.5.0, when supplied with a Name field in an unexpected Unicode format, fails to handle this and includes the database column/table name as pert of the error message, exposing sensitive information.
- CVE-2019-12902Jun 19, 2019risk 0.00cvss —epss 0.01
Pydio Cells before 1.5.0 does incomplete cleanup of a user's data upon deletion. This allows a new user, holding the same User ID as a deleted user, to restore the deleted user's data.
- CVE-2019-12901Jun 19, 2019risk 0.00cvss —epss 0.02
Pydio Cells before 1.5.0 fails to neutralize '../' elements, allowing an attacker with minimum privilege to Upload files to, and Delete files/folders from, an unprivileged directory, leading to Privilege escalation.
- CVE-2019-10049May 31, 2019risk 0.00cvss —epss 0.01
It is possible for an attacker with regular user access to the web application of Pydio through 8.2.2 to trick an administrator user into opening a link shared through the application, that in turn opens a shared file that contains JavaScript code (that is executed in the…
- CVE-2019-10048May 31, 2019risk 0.00cvss —epss 0.03
The ImageMagick plugin that is installed by default in Pydio through 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin's configuration options, allowing arbitrary shell commands to be entered that result in command execution…
- CVE-2019-10046May 31, 2019risk 0.00cvss —epss 0.01
An unauthenticated attacker can obtain information about the Pydio 8.2.2 configuration including session timeout, libraries, and license information.
- CVE-2019-10045May 31, 2019risk 0.00cvss —epss 0.01
The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of…
- CVE-2013-6226Nov 14, 2013risk 0.00cvss —epss 0.02
Directory traversal vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to read or delete arbitrary files via unspecified vectors.
Page 2 of 2