CVE-2010-10013
Severity CVSS v4.0:
CRITICAL
Type:
CWE-78
OS Command Injections
Publication date:
08/08/2025
Last modified:
08/08/2025
Description
An unauthenticated remote command execution vulnerability exists in AjaXplorer (now known as Pydio Cells) versions prior to 2.6. The flaw resides in the checkInstall.php script within the access.ssh plugin, which fails to properly sanitize user-supplied input to the destServer GET parameter. By injecting shell metacharacters, remote attackers can execute arbitrary system commands on the server with the privileges of the web server process.
Impact
Base Score 4.0
9.30
Severity 4.0
CRITICAL
References to Advisories, Solutions, and Tools
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb
- https://sourceforge.net/projects/ajaxplorer/
- https://www.exploit-db.com/exploits/21993
- https://www.tenable.com/plugins/nessus/45489
- https://www.vulncheck.com/advisories/ajaxplorer-unauth-rce
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb
- https://www.exploit-db.com/exploits/21993