Pydio Core Cross-Site Scripting Vulnerability in New URL Bookmark Feature
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Pydio Core versions through 8.2.5, specifically within the 'New URL Bookmark' feature. This vulnerability allows users to inject malicious JavaScript, which can be executed when the bookmark is accessed. The issue could lead to account takeover and facilitate phishing attacks.
Impact
Exploitation of this vulnerability allows for the execution of injected JavaScript, potentially leading to account takeover and phishing attacks.
Reproduction
To reproduce this vulnerability, log into Pydio as any user and navigate to 'New' > 'New URL Bookmark'. Enter a URL using the javascript protocol, such as 'javascript:alert(1)', and provide a label for the bookmark. After saving, double-clicking the bookmark will trigger the XSS payload. If the bookmark is created in the 'Common Files' folder, the XSS will activate for all logged-in users viewing the file.
Remediation
Users are encouraged to upgrade to Pydio Cells, the latest version of the software. Pydio Enterprise users should contact Pydio directly for assistance. Instructions for upgrading Pydio 8.2.5 are available on the Pydio website.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.