2 matches found
CVE-2018-20718
In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0: syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link...
CVE-2018-20718
In Pydio Core before 8.2.2, a PHP Object Injection vulnerability exists via the $phpserial$a:0:{} syntax used when storing a user preference. An attacker requires either a public link to a file or access to an unprivileged user account to create such a link. The issue is rated CRITICAL (CVSSv3: 9...