CVE-2019-20453

A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution...

EUVD-2019-6120

Malware in sbrugna...

EUVD-2018-10712

Malware in sbrugna...

EUVD-2019-2111

Malware in sbrugna...

EUVD-2019-2112

Malware in sbrugna...

EUVD-2019-19011

Malware in sbrugna...

EUVD-2018-13263

Malware in sbrugna...

EUVD-2019-10998

Malware in sbrugna...

EUVD-2018-10713

Malware in sbrugna...

CVE-2019-10048

The ImageMagick plugin that is installed by default in Pydio through 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin's configuration options, allowing arbitrary shell commands to be entered that result in command execution on the underlying...

CVE-2019-15032

Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server informatio...

CVE-2019-10045

The "action" getsessid in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of him/her if the session is...

CVE-2019-10049

It is possible for an attacker with regular user access to the web application of Pydio through 8.2.2 to trick an administrator user into opening a link shared through the application, that in turn opens a shared file that contains JavaScript code that is executed in the context of the victim use...

CVE-2018-1999017

Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery SSRF vulnerability in plugins/action.updater/UpgradeManager.php Line: 154, getUpgradePath$url that can result in an authenticated admin users requesting arbitrary URL's, pivoting requests through the server. This attack appear...

CVE-2018-1999016

Pydio version 8.2.0 and earlier contains a Cross Site Scripting XSS vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48; ./core/vendor/dapphp/securimage/examples/test.mysql.static.php lines: 114,118 that can result in an unauthenticated remote attacker manipulating...

CVE-2019-9642

An issue was discovered in proxy.php in pydio-core in Pydio through 8.2.2. Through an unauthenticated request, it possible to evaluate malicious PHP code by placing it on the fourth line of a .php file, as demonstrated by a PoC.php created by the guest account, with execution via a...

CVE-2019-15032

Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server informatio...

Unspecified vulnerability in Pydio (CNVD-2015-03021)

AjaXplorer renamed Pydio is a software that implements the file management functions of the remote end through the local... Pydio has an unspecified security vulnerability, details of which are not available at this time...