Vendor CVEs
Pydio
All CVEs
33 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-3431 | Cri | 0.64 | 9.8 | 0.04 | Sep 19, 2017 | Pydio (formerly AjaXplorer) before 6.0.7 allows remote attackers to execute arbitrary commands via unspecified vectors, aka "Pydio OS Command Injection Vulnerabilities." | ||
| CVE-2018-1999018 | Med | 0.43 | 6.6 | 0.03 | Jul 23, 2018 | Pydio version 8.2.1 and prior contains an Unvalidated user input leading to Remote Code Execution (RCE) vulnerability in plugins/action.antivirus/AntivirusScanner.php: Line 124, scanNow($nodeObject) that can result in An attacker gaining admin access and can then execute… | ||
| CVE-2018-1999016 | Med | 0.40 | 6.1 | 0.01 | Jul 23, 2018 | Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48; ./core/vendor/dapphp/securimage/examples/test.mysql.static.php lines: 114,118 that can result in an unauthenticated remote… | ||
| CVE-2015-3432 | Med | 0.40 | 6.1 | 0.01 | Sep 19, 2017 | Multiple cross-site scripting (XSS) vulnerabilities in Pydio (formerly AjaXplorer) before 6.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Pydio XSS Vulnerabilities." | ||
| CVE-2018-1999017 | Med | 0.32 | 4.9 | 0.01 | Jul 23, 2018 | Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability in plugins/action.updater/UpgradeManager.php Line: 154, getUpgradePath($url) that can result in an authenticated admin users requesting arbitrary URL's, pivoting requests through the… | ||
| CVE-2023-32749 | 0.07 | — | 0.14 | Jun 8, 2023 | Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created… | |||
| CVE-2013-6227 | 0.04 | — | 0.08 | Dec 27, 2014 | Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by uploading an executable file, and then accessing this file at a location… | |||
| CVE-2023-32751 | 0.03 | — | 0.03 | Jun 8, 2023 | Pydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript [1]. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web… | |||
| CVE-2018-14772 | 0.03 | — | 0.07 | Oct 16, 2018 | Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution vulnerability in which an attacker with administrator access to the web application can execute arbitrary code on the underlying system via Command Injection. | |||
| CVE-2018-20718 | 0.01 | — | 0.04 | Jan 15, 2019 | In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link. | |||
| CVE-2024-40124 | 0.00 | — | 0.00 | Apr 17, 2025 | Pydio Core <= 8.2.5 is vulnerable to Cross Site Scripting (XSS) via the New URL Bookmark feature. | |||
| CVE-2021-41324 | 0.00 | — | 0.02 | Sep 30, 2021 | Directory traversal in the Copy, Move, and Delete features in Pydio Cells 2.2.9 allows remote authenticated users to enumerate personal files (or Cells files belonging to any user) via the nodes parameter (for Copy and Move) or via the Path parameter (for Delete). | |||
| CVE-2021-41325 | 0.00 | — | 0.01 | Sep 30, 2021 | Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via the profile parameter. (In addition, such users can be granted several admin permissions via the Roles parameter.) | |||
| CVE-2021-41323 | 0.00 | — | 0.02 | Sep 30, 2021 | Directory traversal in the Compress feature in Pydio Cells 2.2.9 allows remote authenticated users to overwrite personal files, or Cells files belonging to any user, via the format parameter. | |||
| CVE-2020-12850 | 0.00 | — | 0.00 | Jun 11, 2020 | The following vulnerability applies only to the Pydio Cells Enterprise OVF version 2.0.4. Prior versions of the Pydio Cells Enterprise OVF (such as version 2.0.3) have a looser policy restriction allowing the “pydio” user to execute any privileged command using sudo. In… | |||
| CVE-2020-12848 | 0.00 | — | 0.01 | Jun 5, 2020 | In Pydio Cells 2.0.4, once an authenticated user shares a file selecting the create a public link option, a hidden shared user account is created in the backend with a random username. An anonymous user that obtains a valid public link can get the associated hidden account… | |||
| CVE-2020-12849 | 0.00 | — | 0.01 | Jun 5, 2020 | Pydio Cells 2.0.4 allows any user to upload a profile image to the web application, including standard and shared user roles. These profile pictures can later be accessed directly with the generated URL by any unauthenticated or authenticated user. | |||
| CVE-2020-12847 | 0.00 | — | 0.02 | Jun 4, 2020 | Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console” that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the application’s mailer… | |||
| CVE-2020-12851 | 0.00 | — | 0.01 | Jun 4, 2020 | Pydio Cells 2.0.4 allows an authenticated user to write or overwrite existing files in another user’s personal and cells folders (repositories) by uploading a custom generated ZIP file and leveraging the file extraction feature present in the web application. The extracted… | |||
| CVE-2020-12852 | 0.00 | — | 0.02 | Jun 4, 2020 | The update feature for Pydio Cells 2.0.4 allows an administrator user to set a custom update URL and the public RSA key used to validate the downloaded update package. The update process involves downloading the updated binary file from a URL indicated in the update server… | |||
| CVE-2020-12853 | 0.00 | — | 0.01 | Jun 4, 2020 | Pydio Cells 2.0.4 allows XSS. A malicious user can either upload or create a new file that contains potentially malicious HTML and JavaScript code to personal folders or accessible cells. | |||
| CVE-2019-20453 | 0.00 | — | 0.02 | Mar 17, 2020 | A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution. | |||
| CVE-2019-20452 | 0.00 | — | 0.02 | Mar 17, 2020 | A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/core.access/src/RecycleBinManager.php. An authenticated user with basic privileges can inject objects and achieve remote code execution. | |||
| CVE-2019-15033 | 0.00 | — | 0.01 | Sep 19, 2019 | Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring. | |||
| CVE-2019-12903 | 0.00 | — | 0.01 | Jun 19, 2019 | Pydio Cells before 1.5.0, when supplied with a Name field in an unexpected Unicode format, fails to handle this and includes the database column/table name as pert of the error message, exposing sensitive information. | |||
| CVE-2019-12902 | 0.00 | — | 0.01 | Jun 19, 2019 | Pydio Cells before 1.5.0 does incomplete cleanup of a user's data upon deletion. This allows a new user, holding the same User ID as a deleted user, to restore the deleted user's data. | |||
| CVE-2019-12901 | 0.00 | — | 0.02 | Jun 19, 2019 | Pydio Cells before 1.5.0 fails to neutralize '../' elements, allowing an attacker with minimum privilege to Upload files to, and Delete files/folders from, an unprivileged directory, leading to Privilege escalation. | |||
| CVE-2019-9642 | 0.00 | — | 0.02 | Jun 5, 2019 | An issue was discovered in proxy.php in pydio-core in Pydio through 8.2.2. Through an unauthenticated request, it possible to evaluate malicious PHP code by placing it on the fourth line of a .php file, as demonstrated by a PoC.php created by the guest account, with execution… | |||
| CVE-2019-10049 | 0.00 | — | 0.01 | May 31, 2019 | It is possible for an attacker with regular user access to the web application of Pydio through 8.2.2 to trick an administrator user into opening a link shared through the application, that in turn opens a shared file that contains JavaScript code (that is executed in the… | |||
| CVE-2019-10048 | 0.00 | — | 0.03 | May 31, 2019 | The ImageMagick plugin that is installed by default in Pydio through 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin's configuration options, allowing arbitrary shell commands to be entered that result in command execution… | |||
| CVE-2019-10046 | 0.00 | — | 0.01 | May 31, 2019 | An unauthenticated attacker can obtain information about the Pydio 8.2.2 configuration including session timeout, libraries, and license information. | |||
| CVE-2019-10045 | 0.00 | — | 0.01 | May 31, 2019 | The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of… | |||
| CVE-2013-6226 | 0.00 | — | 0.02 | Nov 14, 2013 | Directory traversal vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to read or delete arbitrary files via unspecified vectors. |
- risk 0.64cvss 9.8epss 0.04
Pydio (formerly AjaXplorer) before 6.0.7 allows remote attackers to execute arbitrary commands via unspecified vectors, aka "Pydio OS Command Injection Vulnerabilities."
- risk 0.43cvss 6.6epss 0.03
Pydio version 8.2.1 and prior contains an Unvalidated user input leading to Remote Code Execution (RCE) vulnerability in plugins/action.antivirus/AntivirusScanner.php: Line 124, scanNow($nodeObject) that can result in An attacker gaining admin access and can then execute…
- risk 0.40cvss 6.1epss 0.01
Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48; ./core/vendor/dapphp/securimage/examples/test.mysql.static.php lines: 114,118 that can result in an unauthenticated remote…
- risk 0.40cvss 6.1epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Pydio (formerly AjaXplorer) before 6.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Pydio XSS Vulnerabilities."
- risk 0.32cvss 4.9epss 0.01
Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability in plugins/action.updater/UpgradeManager.php Line: 154, getUpgradePath($url) that can result in an authenticated admin users requesting arbitrary URL's, pivoting requests through the…
- CVE-2023-32749Jun 8, 2023risk 0.07cvss —epss 0.14
Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created…
- CVE-2013-6227Dec 27, 2014risk 0.04cvss —epss 0.08
Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by uploading an executable file, and then accessing this file at a location…
- CVE-2023-32751Jun 8, 2023risk 0.03cvss —epss 0.03
Pydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript [1]. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web…
- CVE-2018-14772Oct 16, 2018risk 0.03cvss —epss 0.07
Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution vulnerability in which an attacker with administrator access to the web application can execute arbitrary code on the underlying system via Command Injection.
- CVE-2018-20718Jan 15, 2019risk 0.01cvss —epss 0.04
In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link.
- CVE-2024-40124Apr 17, 2025risk 0.00cvss —epss 0.00
Pydio Core <= 8.2.5 is vulnerable to Cross Site Scripting (XSS) via the New URL Bookmark feature.
- CVE-2021-41324Sep 30, 2021risk 0.00cvss —epss 0.02
Directory traversal in the Copy, Move, and Delete features in Pydio Cells 2.2.9 allows remote authenticated users to enumerate personal files (or Cells files belonging to any user) via the nodes parameter (for Copy and Move) or via the Path parameter (for Delete).
- CVE-2021-41325Sep 30, 2021risk 0.00cvss —epss 0.01
Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via the profile parameter. (In addition, such users can be granted several admin permissions via the Roles parameter.)
- CVE-2021-41323Sep 30, 2021risk 0.00cvss —epss 0.02
Directory traversal in the Compress feature in Pydio Cells 2.2.9 allows remote authenticated users to overwrite personal files, or Cells files belonging to any user, via the format parameter.
- CVE-2020-12850Jun 11, 2020risk 0.00cvss —epss 0.00
The following vulnerability applies only to the Pydio Cells Enterprise OVF version 2.0.4. Prior versions of the Pydio Cells Enterprise OVF (such as version 2.0.3) have a looser policy restriction allowing the “pydio” user to execute any privileged command using sudo. In…
- CVE-2020-12848Jun 5, 2020risk 0.00cvss —epss 0.01
In Pydio Cells 2.0.4, once an authenticated user shares a file selecting the create a public link option, a hidden shared user account is created in the backend with a random username. An anonymous user that obtains a valid public link can get the associated hidden account…
- CVE-2020-12849Jun 5, 2020risk 0.00cvss —epss 0.01
Pydio Cells 2.0.4 allows any user to upload a profile image to the web application, including standard and shared user roles. These profile pictures can later be accessed directly with the generated URL by any unauthenticated or authenticated user.
- CVE-2020-12847Jun 4, 2020risk 0.00cvss —epss 0.02
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console” that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the application’s mailer…
- CVE-2020-12851Jun 4, 2020risk 0.00cvss —epss 0.01
Pydio Cells 2.0.4 allows an authenticated user to write or overwrite existing files in another user’s personal and cells folders (repositories) by uploading a custom generated ZIP file and leveraging the file extraction feature present in the web application. The extracted…
- CVE-2020-12852Jun 4, 2020risk 0.00cvss —epss 0.02
The update feature for Pydio Cells 2.0.4 allows an administrator user to set a custom update URL and the public RSA key used to validate the downloaded update package. The update process involves downloading the updated binary file from a URL indicated in the update server…
- CVE-2020-12853Jun 4, 2020risk 0.00cvss —epss 0.01
Pydio Cells 2.0.4 allows XSS. A malicious user can either upload or create a new file that contains potentially malicious HTML and JavaScript code to personal folders or accessible cells.
- CVE-2019-20453Mar 17, 2020risk 0.00cvss —epss 0.02
A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution.
- CVE-2019-20452Mar 17, 2020risk 0.00cvss —epss 0.02
A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/core.access/src/RecycleBinManager.php. An authenticated user with basic privileges can inject objects and achieve remote code execution.
- CVE-2019-15033Sep 19, 2019risk 0.00cvss —epss 0.01
Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.
- CVE-2019-12903Jun 19, 2019risk 0.00cvss —epss 0.01
Pydio Cells before 1.5.0, when supplied with a Name field in an unexpected Unicode format, fails to handle this and includes the database column/table name as pert of the error message, exposing sensitive information.
- CVE-2019-12902Jun 19, 2019risk 0.00cvss —epss 0.01
Pydio Cells before 1.5.0 does incomplete cleanup of a user's data upon deletion. This allows a new user, holding the same User ID as a deleted user, to restore the deleted user's data.
- CVE-2019-12901Jun 19, 2019risk 0.00cvss —epss 0.02
Pydio Cells before 1.5.0 fails to neutralize '../' elements, allowing an attacker with minimum privilege to Upload files to, and Delete files/folders from, an unprivileged directory, leading to Privilege escalation.
- CVE-2019-9642Jun 5, 2019risk 0.00cvss —epss 0.02
An issue was discovered in proxy.php in pydio-core in Pydio through 8.2.2. Through an unauthenticated request, it possible to evaluate malicious PHP code by placing it on the fourth line of a .php file, as demonstrated by a PoC.php created by the guest account, with execution…
- CVE-2019-10049May 31, 2019risk 0.00cvss —epss 0.01
It is possible for an attacker with regular user access to the web application of Pydio through 8.2.2 to trick an administrator user into opening a link shared through the application, that in turn opens a shared file that contains JavaScript code (that is executed in the…
- CVE-2019-10048May 31, 2019risk 0.00cvss —epss 0.03
The ImageMagick plugin that is installed by default in Pydio through 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin's configuration options, allowing arbitrary shell commands to be entered that result in command execution…
- CVE-2019-10046May 31, 2019risk 0.00cvss —epss 0.01
An unauthenticated attacker can obtain information about the Pydio 8.2.2 configuration including session timeout, libraries, and license information.
- CVE-2019-10045May 31, 2019risk 0.00cvss —epss 0.01
The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of…
- CVE-2013-6226Nov 14, 2013risk 0.00cvss —epss 0.02
Directory traversal vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to read or delete arbitrary files via unspecified vectors.