CVE-2019-15032 - Username Leak via Improper Error Handling on Pydio Community Summary Pydio, a file management platform, improperly handles filters on user input, leading to a vulnerability where attackers can send specific payloads to force internal errors, causing usernames to leak. Key Points Description Vulnerability Root Cause: Improper handling of input filters in the "Remote Server" feature allows attackers to input URLs pointing to internal addresses. Request Behavior: When an attacker sends a request to a non-existent resource, Pydio responds with an error message that contains internal directory paths and usernames. Impact Helper for Other Vulnerabilities: Leaked usernames can assist in brute-force attacks to crack passwords. Exploitation Without Authentication: Attackers can exploit the vulnerability by making use of Pydio's folder creation and sharing features. Mitigation Update Pydio Application: Upgrade to the latest version to patch the vulnerability. Conclusion Attackers with access to Pydio can exploit this vulnerability to gather more information about the application, OS, and stack structure. This vulnerability can be combined with CVE-2019-15033 to cause significant impacts.