CVE-2019-15033

Name of the Vulnerable Software and Affected Versions Pydio version 6.0.8

Description The issue allows for Authenticated Server-Side Request Forgery (SSRF) during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to "index.php" when sending a file to a remote server. This is demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.

Recommendations For Pydio version 6.0.8, as a temporary workaround, consider restricting access to the "index.php" endpoint or avoid using the file parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.