CVE-2018-20718

Name of the Vulnerable Software and Affected Versions: Pydio versions prior to 8.2.2

Description: The issue allows for an attack via PHP Object Injection. This is possible because a user can store a preference using the $phpserial$a:0:{} syntax. An attacker would need either a public link of a file or access to any unprivileged user account to create such a link.

Recommendations: For versions prior to 8.2.2, update to version 8.2.2 or later to resolve the issue. As a temporary workaround, consider restricting the ability to store preferences using the $phpserial$a:0:{} syntax until a patch is available.