Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Pydio Subscribe
Total 32 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2013-4267 1 Pydio 1 Pydio 2020-02-12 10.0 HIGH 9.8 CRITICAL
Ajaxeplorer before 5.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) archive_name parameter to the Power FS module (plugins/action.powerfs/class.PowerFSController.php), a (2) file name to the getTrustSizeOnFileSystem function in the File System (Standard) module (plugins/access.fs/class.fsAccessWrapper.php), or the (3) revision parameter to the Subversion Repository module (plugins/meta.svn/class.SvnManager.php).
CVE-2019-15033 1 Pydio 1 Pydio 2019-09-20 4.0 MEDIUM 7.7 HIGH
Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.
CVE-2019-15032 1 Pydio 1 Pydio 2019-09-19 5.0 MEDIUM 5.3 MEDIUM
Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information.
CVE-2019-10047 1 Pydio 1 Pydio 2019-06-03 3.5 LOW 5.4 MEDIUM
A stored XSS vulnerability exists in the web application of Pydio through 8.2.2 that can be exploited by levering the file upload and file preview features of the application. An authenticated attacker can upload an HTML file containing JavaScript code and afterwards a file preview URL can be used to access the uploaded file. If a malicious user shares an uploaded HTML file containing JavaScript code with another user of the application, and tricks an authenticated victim into accessing a URL that results in the HTML code being interpreted by the web browser, then the included JavaScript code is executed under the context of the victim user session.
CVE-2019-10048 1 Pydio 1 Pydio 2019-06-03 9.0 HIGH 7.2 HIGH
The ImageMagick plugin that is installed by default in Pydio through 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin's configuration options, allowing arbitrary shell commands to be entered that result in command execution on the underlying operating system, with the privileges of the local user running the web server. The attacker must be authenticated into the application with an administrator user account in order to be able to edit the affected plugin configuration.
CVE-2019-10045 1 Pydio 1 Pydio 2019-06-03 6.4 MEDIUM 6.5 MEDIUM
The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of him/her (if the session is still active).
CVE-2013-6227 2 Ajaxplorer, Pydio 2 Ajaxplorer, Pydio 2019-01-19 7.5 HIGH N/A
Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by uploading an executable file, and then accessing this file at a location specified by the format parameter of a move operation.
CVE-2018-1999017 1 Pydio 1 Pydio 2018-09-20 4.0 MEDIUM 4.9 MEDIUM
Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability in plugins/action.updater/UpgradeManager.php Line: 154, getUpgradePath($url) that can result in an authenticated admin users requesting arbitrary URL's, pivoting requests through the server. This attack appears to be exploitable via the attacker gaining access to an administrative account, enters a URL into Upgrade Engine, and reloads the page or presses "Check Now". This vulnerability appears to have been fixed in 8.2.1.
CVE-2018-1999018 1 Pydio 1 Pydio 2018-09-20 8.5 HIGH 6.6 MEDIUM
Pydio version 8.2.1 and prior contains an Unvalidated user input leading to Remote Code Execution (RCE) vulnerability in plugins/action.antivirus/AntivirusScanner.php: Line 124, scanNow($nodeObject) that can result in An attacker gaining admin access and can then execute arbitrary commands on the underlying OS. This attack appear to be exploitable via The attacker edits the Antivirus Command in the antivirus plugin, and executes the payload by uploading any file within Pydio.
CVE-2018-1999016 1 Pydio 1 Pydio 2018-09-19 4.3 MEDIUM 6.1 MEDIUM
Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48; ./core/vendor/dapphp/securimage/examples/test.mysql.static.php lines: 114,118 that can result in an unauthenticated remote attacker manipulating the web client via XSS code injection. This attack appear to be exploitable via the victim openning a specially crafted URL. This vulnerability appears to have been fixed in version 8.2.1.
CVE-2015-3431 1 Pydio 1 Pydio 2017-09-28 10.0 HIGH 9.8 CRITICAL
Pydio (formerly AjaXplorer) before 6.0.7 allows remote attackers to execute arbitrary commands via unspecified vectors, aka "Pydio OS Command Injection Vulnerabilities."
CVE-2015-3432 1 Pydio 1 Pydio 2017-09-23 4.3 MEDIUM 6.1 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in Pydio (formerly AjaXplorer) before 6.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Pydio XSS Vulnerabilities."