CVE-2019-20453

moderate-risk
Published 2020-03-17

A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution.

Do I need to act?

~
4.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (2)

Pydio
Pydio

Affected Vendors

Pydio

References (4)

Vendor Advisory https://pydio.com/en/community/releases/pydio-core/pydio-core-pydio-enterprise-8...
Third Party Advisory https://www.certilience.fr/2020/03/cve-2019-20453-vulnerabilite-php-object-injec...
Vendor Advisory https://pydio.com/en/community/releases/pydio-core/pydio-core-pydio-enterprise-8...
Third Party Advisory https://www.certilience.fr/2020/03/cve-2019-20453-vulnerabilite-php-object-injec...
45
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 8/34 · Low
Exposure 7/34 · Low