Mike Gualtieri

**Name of the Vulnerable Software and Affected Versions** Pydio versions 8.2.0 and earlier **Description** The issue is related to a Cross Site Scripting (XSS) vulnerability that can be exploited by an unauthenticated remote attacker. This can result in the manipulation of the web client via XSS code injection when a victim opens a specially crafted URL. The vulnerability is located in specific files, including ./core/vendor/meenie/javascript-packer/example-inline.php and ./core/vendor/dapphp/securimage/examples/test.mysql.static.php. **Recommendations** For Pydio versions 8.2.0 and earlier, update to version 8.2.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Pydio versions 8.2.0 and earlier **Description** The issue is related to a Server-Side Request Forgery (SSRF) vulnerability in the `getUpgradePath($url)` function, located in `plugins/action.updater/UpgradeManager.php`. This vulnerability can be exploited by an authenticated admin user who enters a URL into the Upgrade Engine and then reloads the page or presses "Check Now", allowing the attacker to request arbitrary URLs and pivot requests through the server. **Recommendations** For Pydio versions 8.2.0 and earlier, update to version 8.2.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Pydio versions 8.2.1 and prior **Description** The issue is related to unvalidated user input, leading to remote code execution. This can result in an attacker gaining admin access and executing arbitrary commands on the underlying OS. The attack is exploitable by editing the Antivirus Command in the antivirus plugin and executing the payload by uploading any file within Pydio. **Recommendations** For Pydio versions 8.2.1 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.