CVE-2018-20718

CRITICAL

Pydio < 8.2.2 - Insecure Deserialization

Title source: rule

Description

In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link.

Exploits (1)

nomisec WORKING POC 3 stars

by us3r777 · poc

https://github.com/us3r777/CVE-2018-20718

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://blog.ripstech.com/2018/pydio-unauthenticated-remote-code-execution/

Scores

CVSS v3 9.8

EPSS 0.0939

EPSS Percentile 92.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

pydio/pydio < 8.2.2

Timeline

Published Jan 15, 2019

Tracked Since Feb 18, 2026