PT-2019-11399 · Imagemagick+1 · Imagemagick+1

Published

2019-05-31

Updated

2019-06-03

CVE-2019-10048

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Pydio versions through 8.2.2

Description: The issue concerns the ImageMagick plugin in Pydio, which does not properly validate and sanitize user-supplied input in its configuration options. This allows an attacker to execute arbitrary shell commands on the underlying operating system with the privileges of the local user running the web server. The attacker must be authenticated into the application with an administrator user account to edit the affected plugin configuration.

Recommendations: For Pydio versions through 8.2.2, update to a version that includes the fix for the ImageMagick plugin configuration vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2019-10048

Affected Products

Imagemagick

Pydio

PT-2019-11399 · Imagemagick+1 · Imagemagick+1

CVE-2019-10048

Weakness Enumeration

Related Identifiers

Affected Products

References · 3