CVE-2019-15033 — HIGH (7.7)

Vulnerability Description

Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.

CVSS Score

7.7

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Pydio	Pydio	6.0.8

Related Weaknesses (CWE)

CWE-918

References

https://heitorgouvea.me/2019/09/17/CVE-2019-15033ExploitThird Party Advisory
https://pydio.comProduct
https://sourceforge.net/projects/ajaxplorer/files/pydio/stable-channel/Release Notes
https://heitorgouvea.me/2019/09/17/CVE-2019-15033ExploitThird Party Advisory
https://pydio.comProduct
https://sourceforge.net/projects/ajaxplorer/files/pydio/stable-channel/Release Notes

FAQ

What is CVE-2019-15033?

CVE-2019-15033 is a vulnerability with a CVSS score of 7.7 (HIGH). Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as ...

How severe is CVE-2019-15033?

CVE-2019-15033 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-15033?

Check the references section above for vendor advisories and patch information. Affected products include: Pydio Pydio.