CVE-2024-22416
published 2024-01-18CVE-2024-22416: pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session…
PriorityP346high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.95%
56.7th percentile
pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | < 0.5.0b3.dev78 | 0.5.0b3.dev78 |
| pyload-ng_project | pyload-ng | < c7cdc18ad9134a75222974b39e8b427c4af845fc | c7cdc18ad9134a75222974b39e8b427c4af845fc |
| pyload-ng_project | pyload-ng | >= 0 < 0.5.0b3.dev78 | 0.5.0b3.dev78 |
| pyload-ng_project | pyload-ng | >= 0 < 1374c824271cb7e927740664d06d2e577624ca3e | 1374c824271cb7e927740664d06d2e577624ca3e |
| pyload | pyload | < 0.5.0b3.dev78 | 0.5.0b3.dev78 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
osv·2024-01-19
CVE-2024-22416 [CRITICAL] Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
### Summary
The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. This proof of concept shows how an unauthenticated user could trick the administrator's browser into creating a new admin user.
### PoC
We host the following HTML file on an attacker-controlled server.
```html
history.pushState('', '', '/');
document.forms[0].submit();
```
If we now trick an administrator into visiting our malicious page at `https://attacker.com/CSRF.html`, we see that their browser will make a request to `/api/add_user/%22hacker%
GHSA
Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
ghsa·2024-01-19
CVE-2024-22416 [CRITICAL] CWE-352 Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
### Summary
The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. This proof of concept shows how an unauthenticated user could trick the administrator's browser into creating a new admin user.
### PoC
We host the following HTML file on an attacker-controlled server.
```html
history.pushState('', '', '/');
document.forms[0].submit();
```
If we now trick an administrator into visiting our malicious page at `https://attacker.com/CSRF.html`, we see that their browser will make a request to `/api/add_user/%22hacker%
OSV
CVE-2024-22416: pyLoad is a free and open-source Download Manager written in pure Python
osv·2024-01-18
CVE-2024-22416 CVE-2024-22416: pyLoad is a free and open-source Download Manager written in pure Python
pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3ehttps://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fchttps://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fmhttps://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3ehttps://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fchttps://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm
2024-01-18
Published