Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
10
CVSSv2

CVE-2018-20718

Published: 15/01/2019 Updated: 24/08/2020
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 890
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Pydio

Vulnerability Summary

In Pydio prior to 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

pydio pydio

Github Repositories

https://github.com/us3r777/CVE-2018-20718

CVE-2018-20718 This is a POC for CVE-2018-20718 It is a PHP Object injection vulnerability The vulnerability affect all version of Pydio before 821 and leads to Unauthenticated Remote Code Execution It was originaly found by RIPS I found a gadget in Pydio\Core\Controller\ShutdownScheduler which allows remote code execution if combined with the already known GuzzleHttp\Psr

References

CWE-502https://blog.ripstech.com/2018/pydio-unauthenticated-remote-code-execution/https://nvd.nist.govhttps://github.com/us3r777/CVE-2018-20718
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-26925CVE-2023-41826LFICVE-2022-22364CVE-2024-2887command injectionremote code executionCVE-2024-34446CVE-2022-48699
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook