Unrestricted File Upload Vulnerability in Pydio's Zoho Plugin by Pydio
CVE-2013-6227

Currently unrated

Key Information:

Vendor: Pydio
Status: Pydio; Ajaxplorer
Vendor: CVE Published:; 27 December 2014

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 19%

What is CVE-2013-6227?

The Zoho plugin in Pydio (formerly known as AjaXplorer) contains an unrestricted file upload weakness in the file handling functionality, specifically in the save_zoho.php script. This flaw permits attackers to upload executable files without proper validation, allowing for arbitrary code execution. Should the malicious file be uploaded, attackers can subsequently execute it by accessing a specific URL structured using the format parameter in a move operation. Users are strongly advised to upgrade to Pydio version 5.0.4 or later to mitigate this vulnerability.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2013-6227 - Proof of Concept

References

https://www.exploit-db.com/exploits/46206/

exploitx_refsource_EXPLOIT-DB

http://pyd.io/pydio-core-5-0-4/

x_refsource_MISC

http://www.redfsec.com/CVE-2013-6227

x_refsource_MISC

EPSS Score

19% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 27, 2014
👾
Exploit known to exist
Dec 27, 2014
Vulnerability published
Dec 27, 2014
Vulnerability Reserved
Oct 21, 2013

CVE-2013-6227 Data

JSON