Vulnerabilities > Pydio
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-06-20 | CVE-2019-12901 | Path Traversal vulnerability in Pydio Cells Pydio Cells before 1.5.0 fails to neutralize '../' elements, allowing an attacker with minimum privilege to Upload files to, and Delete files/folders from, an unprivileged directory, leading to Privilege escalation. | 6.5 |
| 2019-06-05 | CVE-2019-9642 | Unrestricted Upload of File with Dangerous Type vulnerability in Pydio An issue was discovered in proxy.php in pydio-core in Pydio through 8.2.2. | 7.5 |
| 2019-05-31 | CVE-2019-10049 | Cross-site Scripting vulnerability in Pydio It is possible for an attacker with regular user access to the web application of Pydio through 8.2.2 to trick an administrator user into opening a link shared through the application, that in turn opens a shared file that contains JavaScript code (that is executed in the context of the victim user to obtain sensitive information such as session identifiers and perform actions on behalf of him/her). | 4.9 |
| 2019-05-31 | CVE-2019-10048 | OS Command Injection vulnerability in Pydio The ImageMagick plugin that is installed by default in Pydio through 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin's configuration options, allowing arbitrary shell commands to be entered that result in command execution on the underlying operating system, with the privileges of the local user running the web server. | 9.0 |
| 2019-05-31 | CVE-2019-10047 | Cross-site Scripting vulnerability in Pydio A stored XSS vulnerability exists in the web application of Pydio through 8.2.2 that can be exploited by levering the file upload and file preview features of the application. | 3.5 |
| 2019-05-31 | CVE-2019-10046 | Missing Authentication for Critical Function vulnerability in Pydio 8.2.2 An unauthenticated attacker can obtain information about the Pydio 8.2.2 configuration including session timeout, libraries, and license information. | 5.0 |
| 2019-05-31 | CVE-2019-10045 | Session Fixation vulnerability in Pydio The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. | 6.4 |
| 2019-01-15 | CVE-2018-20718 | Deserialization of Untrusted Data vulnerability in Pydio In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. | 10.0 |
| 2018-10-16 | CVE-2018-14772 | OS Command Injection vulnerability in Pydio Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution vulnerability in which an attacker with administrator access to the web application can execute arbitrary code on the underlying system via Command Injection. | 9.0 |
| 2018-07-23 | CVE-2018-1999018 | Improper Input Validation vulnerability in Pydio Pydio version 8.2.1 and prior contains an Unvalidated user input leading to Remote Code Execution (RCE) vulnerability in plugins/action.antivirus/AntivirusScanner.php: Line 124, scanNow($nodeObject) that can result in An attacker gaining admin access and can then execute arbitrary commands on the underlying OS. | 8.5 |