VYPR

Pydio Core

by Pydio

Source repositories

CVEs (9)

  • CVE-2018-1999018MedJul 23, 2018
    risk 0.43cvss 6.6epss 0.03

    Pydio version 8.2.1 and prior contains an Unvalidated user input leading to Remote Code Execution (RCE) vulnerability in plugins/action.antivirus/AntivirusScanner.php: Line 124, scanNow($nodeObject) that can result in An attacker gaining admin access and can then execute…

  • CVE-2018-1999016MedJul 23, 2018
    risk 0.40cvss 6.1epss 0.01

    Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48; ./core/vendor/dapphp/securimage/examples/test.mysql.static.php lines: 114,118 that can result in an unauthenticated remote…

  • CVE-2018-1999017MedJul 23, 2018
    risk 0.32cvss 4.9epss 0.01

    Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability in plugins/action.updater/UpgradeManager.php Line: 154, getUpgradePath($url) that can result in an authenticated admin users requesting arbitrary URL's, pivoting requests through the…

  • CVE-2018-14772Oct 16, 2018
    risk 0.03cvss epss 0.07

    Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution vulnerability in which an attacker with administrator access to the web application can execute arbitrary code on the underlying system via Command Injection.

  • CVE-2018-20718Jan 15, 2019
    risk 0.01cvss epss 0.04

    In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link.

  • CVE-2024-40124Apr 17, 2025
    risk 0.00cvss epss 0.00

    Pydio Core <= 8.2.5 is vulnerable to Cross Site Scripting (XSS) via the New URL Bookmark feature.

  • CVE-2019-20453Mar 17, 2020
    risk 0.00cvss epss 0.02

    A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution.

  • CVE-2019-20452Mar 17, 2020
    risk 0.00cvss epss 0.02

    A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/core.access/src/RecycleBinManager.php. An authenticated user with basic privileges can inject objects and achieve remote code execution.

  • CVE-2019-9642Jun 5, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in proxy.php in pydio-core in Pydio through 8.2.2. Through an unauthenticated request, it possible to evaluate malicious PHP code by placing it on the fourth line of a .php file, as demonstrated by a PoC.php created by the guest account, with execution…