Skip to content

Instantly share code, notes, and snippets.

@Xib3rR4dAr

Xib3rR4dAr/Pydio_Core_8.2.5_Stored_XSS_PoC.md

Last active April 22, 2025 19:09
Show Gist options
  • Save Xib3rR4dAr/711195d5793bfbb4364dc179ecaae25d to your computer and use it in GitHub Desktop.
Save Xib3rR4dAr/711195d5793bfbb4364dc179ecaae25d to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2024-40124 Pydio Core <= 8.2.5 Stored XSS PoC
Raw
Pydio_Core_8.2.5_Stored_XSS_PoC.md

Pydio Core <= 8.2.5 Stored XSS PoC

Advisory Information

Author: Muhammad Zeeshan (Xib3rR4dAr)
CVE: CVE-2024-40124
Title: Pydio Core <= 8.2.5 Stored XSS
Date published: June 25, 2024
Impact: Execution of malicious JavaScript leading to account takeover and phishing attacks.

About Pydio

Pydio Website states that:

Pydio is the world’s largest Open Source file sharing and synchronization focused project for the enterprise. Pydio is a founder's owned company. The Pydio Project delivers a sustainable balance between enterprise customers needs and Open-Source collaborative spirit. Sold in 25 countries, from Cupertino to Singapore, Pydio is used by leading brands such as Nikon, Ion Geophysical, and Guitar Center. Pydio also serves education and government clients such as Cambridge University (UK) and ADEME (France). It currently has over one million downloads.

Pydio (formerly AjaXplorer), is an open source EFSS (Enterprise File Synchronization and Sharing) solution that can be deployed On-Premise or in a Hybrid / Cloud environment so that users may upload files to the server and then are enabled to share files with public links in a similar way that Google Drive, Dropbox, or other cloud services work. Pydio is available either through a Community distribution (Ideal for home use) that is free forever or an Enterprise which provides all the features, support and compliance to secure file sharing.

Vulnerale Package

Pydio Core 8.2.5 - Latest version at the time of testing.
Older versions are probably affected too, but they were not checked.

Vulneraility Description

Stored XSS vulnerability was found in Pydio Core last released Version 8.2.5 in "New URL Bookmark" feature which can be exploited to execute malicious JavaScript to takeover user accounts and perform phishing attacks. "New URL Bookmark" feature allows to create a URL bookmark which when clicked opens the URL. It was found that javascript protocol can be specified instead of http/https to trigger XSS.

Proof of Concept Reproduction Steps for Pydio 8.2.5

  • Login to Pydio as any user
  • Goto "New" > "New URL Bookmark"
  • Set URL to javascript:alert('XSS_Pentest')
  • Set any label for the bookmark
  • Click "OK"
  • Now double clicking newly created file will trigger XSS If file is uploaded to Workspace's "Common Files" folder, malicious file will be visible to all logged in users and XSS will trigger when any user views the file. File can be shared publicly or shared with specific users also which can help in public or targeted user attacks.

Screenshots

image

image

Fix

According to Pydio Core 8.2.5 release, v8.2.5 is the last update provided for Pydio 8 community edition, that is considered End-of-life at the end of 2019 therefore might not receive security patches going forward. Pydio Enterprise users should contact Pydio directly to mitigate the issue. The Pydio developers encourage users to upgrade to Pydio Cells, which is a complete rewrite of Pydio in Go and is not vulnerable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment