CVE-2019-20453

Published: Mar 17, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution.

Affected (2)

Products: Pydio: Pydio

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Pydio Pydio	Before 8.2.4
Pydio Pydio	Before 8.2.4

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (4)

https://pydio.com/en/community/releases/pydio-core/pydio-core-pydio-enterprise-824-security-release

Source: cve@mitre.org

Vendor Advisory

https://www.certilience.fr/2020/03/cve-2019-20453-vulnerabilite-php-object-injection-pydio-core/

Source: cve@mitre.org

Third Party Advisory

https://pydio.com/en/community/releases/pydio-core/pydio-core-pydio-enterprise-824-security-release

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.certilience.fr/2020/03/cve-2019-20453-vulnerabilite-php-object-injection-pydio-core/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.