Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-21644Improper Access Control in Pyload

CWE-284Improper Access Control5 documents5 sources
Severity
7.5HIGHNVD
EPSS
86.5%
top 0.58%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
PyloadPyload-ng Project Pyload-ng
Timeline
PublishedJan 8

Description

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5pyload/pyload< 0.5.0b3.dev77
PyPIpyload-ng_project/pyload-ng< 0.5.0b3.dev77
NVDpyload/pyload0.4.9+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
pyload Unauthenticated Flask Configuration Leakage vulnerability2024-01-08
GHSA
pyload Unauthenticated Flask Configuration Leakage vulnerability2024-01-08
CVEList
pyLoad unauthenticated flask configuration leakage2024-01-08

💥Exploits & PoCs

1
Nuclei
pyLoad Flask Config - Access Control
CVE-2024-21644 — Improper Access Control in Pyload | cvebase