Published: 18/01/2024 Updated: 29/01/2024

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 0

pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pyload-ng project pyload-ng

CVE-2024-22416 exploit experiments

CVE-2024-22416 Reference report: GHSA-pgpj-v85q-h5fm This repository contains a docker compose configuration that setups both a pyLoad server and an attacker server that just provides a csrfhtml To test yourself, just run docker composer up (you need to have docker composer installed additionally to docker) Then, start by going to localhost:8000, which is the pyLoad login pa

CWE-352 https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc https://nvd.nist.gov https://github.com/mindstorm38/ensimag-secu3a-cve-2024-22416

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2024-22416

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect