Vulnerabilities > Pydio > Pydio > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-19 | CVE-2019-15032 | Information Exposure Through an Error Message vulnerability in Pydio 6.0.8 Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. | 5.3 |
| 2019-05-31 | CVE-2019-10047 | Cross-site Scripting vulnerability in Pydio A stored XSS vulnerability exists in the web application of Pydio through 8.2.2 that can be exploited by levering the file upload and file preview features of the application. | 5.4 |
| 2019-05-31 | CVE-2019-10046 | Missing Authentication for Critical Function vulnerability in Pydio 8.2.2 An unauthenticated attacker can obtain information about the Pydio 8.2.2 configuration including session timeout, libraries, and license information. | 5.3 |
| 2019-05-31 | CVE-2019-10045 | Session Fixation vulnerability in Pydio The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. | 6.5 |
| 2018-07-23 | CVE-2018-1999018 | Improper Input Validation vulnerability in Pydio Pydio version 8.2.1 and prior contains an Unvalidated user input leading to Remote Code Execution (RCE) vulnerability in plugins/action.antivirus/AntivirusScanner.php: Line 124, scanNow($nodeObject) that can result in An attacker gaining admin access and can then execute arbitrary commands on the underlying OS. | 6.6 |
| 2018-07-23 | CVE-2018-1999017 | Server-Side Request Forgery (SSRF) vulnerability in Pydio Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability in plugins/action.updater/UpgradeManager.php Line: 154, getUpgradePath($url) that can result in an authenticated admin users requesting arbitrary URL's, pivoting requests through the server. | 4.9 |
| 2018-07-23 | CVE-2018-1999016 | Cross-site Scripting vulnerability in Pydio Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48; ./core/vendor/dapphp/securimage/examples/test.mysql.static.php lines: 114,118 that can result in an unauthenticated remote attacker manipulating the web client via XSS code injection. | 6.1 |
| 2017-09-19 | CVE-2015-3432 | Cross-site Scripting vulnerability in Pydio Multiple cross-site scripting (XSS) vulnerabilities in Pydio (formerly AjaXplorer) before 6.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Pydio XSS Vulnerabilities." | 6.1 |