Arbitrary Command Execution in Ajaxeplorer by Pydio
CVE-2013-4267

9.8CRITICAL

Key Information:

Vendor

Pydio

Status
Ajaxeplorer
Vendor
CVE Published:
11 February 2020

What is CVE-2013-4267?

The Ajaxeplorer application before version 5.0.1 is susceptible to remote command execution flaws due to insufficient validation of user input in multiple parameters. Attackers can exploit these vulnerabilities by injecting shell metacharacters through the archive_name parameter in the Power FS module, manipulating file names in the getTrustSizeOnFileSystem function, or the revision parameter in the Subversion Repository module. These weaknesses could potentially allow attackers to execute arbitrary commands on the server.

Affected Version(s)

Ajaxeplorer before 5.0.1

References

http://www.openwall.com/lists/oss-security/2013/08/21/16
x_refsource_MISC
https://github.com/pydio/pydio-core/commit/22a62840e5ac14...
x_refsource_MISC
https://www.tenable.com/plugins/nessus/70495
x_refsource_MISC

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.