CVE-2018-1999018: Input Validation
First published: Mon Jul 23 2018(Updated: )
Pydio version 8.2.1 and prior contains an Unvalidated user input leading to Remote Code Execution (RCE) vulnerability in plugins/action.antivirus/AntivirusScanner.php: Line 124, scanNow($nodeObject) that can result in An attacker gaining admin access and can then execute arbitrary commands on the underlying OS. This attack appear to be exploitable via The attacker edits the Antivirus Command in the antivirus plugin, and executes the payload by uploading any file within Pydio.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pydio Cells | <=8.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for Pydio?
The vulnerability ID for Pydio is CVE-2018-1999018.
What is the severity of CVE-2018-1999018?
The severity of CVE-2018-1999018 is high with a CVSS score of 6.6.
How does CVE-2018-1999018 work?
CVE-2018-1999018 is an unvalidated user input vulnerability in the Pydio plugin 'AntivirusScanner.php' that allows an attacker to execute arbitrary commands and gain admin access.
How can an attacker exploit CVE-2018-1999018?
An attacker can exploit CVE-2018-1999018 by sending specially crafted input to the 'scanNow' function in the 'AntivirusScanner.php' file.
Is there a fix for CVE-2018-1999018?
Yes, upgrading to a version of Pydio that is higher than 8.2.1 will fix CVE-2018-1999018.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/pydio
- canonical/pydio cells
- version/pydio cells/8.2.1