{"id":"CVE-2019-9642","details":"An issue was discovered in proxy.php in pydio-core in Pydio through 8.2.2. Through an unauthenticated request, it possible to evaluate malicious PHP code by placing it on the fourth line of a .php file, as demonstrated by a PoC.php created by the guest account, with execution via a proxy.php?hash=../../../../../var/lib/pydio/data/personal/guest/PoC.php request. This is related to plugins/action.share/src/Store/ShareStore.php.","modified":"2026-03-14T00:45:18.158684Z","published":"2019-06-05T17:29:00.803Z","references":[{"type":"ADVISORY","url":"https://pydio.com/en/community/releases/pydio-core/pydio-core-pydio-enterprise-823-security-release"},{"type":"FIX","url":"https://github.com/pydio/pydio-core/commits/develop/core/src/proxy.php"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pydio/pydio-core","events":[{"introduced":"0"},{"last_affected":"87499355dd8666e2885b9f558af4843fce4f82c0"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.2.2"}]}}],"versions":["6.2alpha","6.2beta","6.2rc","ajaxplorer-core-4.3.1","ajaxplorer-core-4.3.2","ajaxplorer-core-4.3.3","ajaxplorer-core-4.3.4","ajaxplorer-core-5.0.0","ajaxplorer-core-5.0.1","ajaxplorer-core-5.0.2","ajaxplorer-core-5.0.3","pydio-core-5.1.0","pydio-core-5.1.1","pydio-core-5.2.0","pydio-core-5.2.1","pydio-core-5.2.2","pydio-core-5.2.3","pydio-core-5.2.4","pydio-core-5.2.5","pydio-core-5.3.1","pydio-core-5.3.2","pydio-core-5.3.3","pydio-core-5.3.4","pydio-core-6.0.0","pydio-core-6.0.1","pydio-core-6.0.2","pydio-core-6.0.3","pydio-core-6.0.4","pydio-core-6.0.5","pydio-core-6.0.6","pydio-core-6.0.7","pydio-core-6.0.8","pydio-core-6.2.0","pydio-core-6.2.1","pydio-core-6.2.2","pydio-core-6.2.2rc","pydio-core-6.2.2rc2","pydio-core-6.2.2rc3","pydio-core-6.3.1","pydio-core-6.4.0","pydio-core-6.4.0rc1","pydio-core-6.4.0rc2","pydio-core-6.4.0rc3","pydio-core-6.4.1","pydio-core-6.4.2","pydio-core-6.4.2rc1","pydio-core-6.5.1","pydio-core-6.5.2","pydio-core-6.5.3","pydio-core-6.5.4","pydio-core-6.5.5","pydio-core-7.0.0","pydio-core-7.0.1","pydio-core-7.0.2","pydio-core-7.0.3","pydio-core-7.0.4","pydio-core-8.0.0","pydio-core-8.0.1","pydio-core-8.0.2","pydio-core-8.2.0","pydio-core-8.2.1","pydio-core-8.2.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9642.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}