PT-2025-32392 · Pydio Cells+1 · Access.Ssh+1
Published
2025-08-08
·
Updated
2025-08-08
·
CVE-2010-10013
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
AjaXplorer/Pydio Cells versions prior to 2.6
Description:
An unauthenticated remote command execution vulnerability exists due to improper sanitization of user-supplied input to the
destServer GET parameter within the checkInstall.php script of the access.ssh plugin. This allows remote attackers to execute arbitrary system commands on the server with the privileges of the web server process by injecting shell metacharacters.Recommendations:
Update AjaXplorer/Pydio Cells to version 2.6 or later.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ajaxplorer/Pydio Cells
Access.Ssh