cbcvebase.
CVE-2024-21645
published 2024-01-08

CVE-2024-21645: pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any…

PriorityP353medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EXPLOIT
EPSS
24.51%
97.6th percentile
pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.

Affected

4 ranges
VendorProductVersion rangeFixed in
pyload-ng_projectpyload-ng>= 0 < 0.5.0b3.dev770.5.0b3.dev77
pyloadpyload< 0.5.0b3.dev770.5.0b3.dev77
pyloadpyload<= 0.4.9
pyloadpyload

Detection & IOCsextracted from sources · hover to see the quote

url/login?next={{RootURL}}
commanddo=login&username={{randstr}}\'%0a[1970-01-01 00:00:00] INJECTED {{str}} THIS ENTRY HAS BEEN INJECTED&password=wrong&submit=Login
url/login?next={{RootURL}}/logs
  • Log injection payload delivered via the `username` field of the pyLoad login endpoint using a URL-encoded newline (%0a) to forge log entries. Look for `%0a` or newline characters in POST body to `/login`.
  • Successful exploitation is confirmed by the injected string appearing verbatim in the response body when accessing the `/logs` endpoint after the forged login attempt.
  • Shodan/FOFA fingerprinting queries for exposed pyLoad instances: search for HTTP title 'login - pyload' or HTML body containing 'pyload'.
  • The vulnerability is unauthenticated — no credentials are required to inject log entries. Monitor POST requests to /login with newline characters (%0a or \n) in the username parameter.
  • ·The vulnerability is fixed in pyLoad version 0.5.0b3.dev77 and later. Instances running versions prior to this are affected.
  • ·The Nuclei template uses two sequential requests: the first injects the forged log entry, the second authenticates to /logs to verify the injected content appears in the response. Both requests must succeed (HTTP 200 after redirect) for a positive match.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.