CVE-2024-32880
published 2024-04-26CVE-2024-32880: pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the…
PriorityP346high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.35%
68.1th percentile
pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | 0 – 0.5.0 | — |
| pyload | pyload | <= 0.5.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
pyLoad allows upload to arbitrary folder lead to RCE
osv·2024-04-24
CVE-2024-32880 [CRITICAL] pyLoad allows upload to arbitrary folder lead to RCE
pyLoad allows upload to arbitrary folder lead to RCE
### Summary
An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution
### Details
example version: 0.5
file:src/pyload/webui/app/blueprints/app_blueprint.py
```python
@bp.route("/render/", endpoint="render")
def render(filename):
mimetype = mimetypes.guess_type(filename)[0] or "text/html"
data = render_template(filename)
return flask.Response(data, mimetype=mimetype)
```
So, if we can control file in the path "pyload/webui/app/templates" in latest version and path in "module/web/media/js"(the difference is the older version0.4.20 only renders file with extension name ".js"), the render_template func will works like SSTI(server-side template injection) when r
GHSA
pyLoad allows upload to arbitrary folder lead to RCE
ghsa·2024-04-24
CVE-2024-32880 [CRITICAL] CWE-434 pyLoad allows upload to arbitrary folder lead to RCE
pyLoad allows upload to arbitrary folder lead to RCE
### Summary
An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution
### Details
example version: 0.5
file:src/pyload/webui/app/blueprints/app_blueprint.py
```python
@bp.route("/render/", endpoint="render")
def render(filename):
mimetype = mimetypes.guess_type(filename)[0] or "text/html"
data = render_template(filename)
return flask.Response(data, mimetype=mimetype)
```
So, if we can control file in the path "pyload/webui/app/templates" in latest version and path in "module/web/media/js"(the difference is the older version0.4.20 only renders file with extension name ".js"), the render_template func will works like SSTI(server-side template injection) when r
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-04-26
Published