CVE-2024-32880 — Unrestricted File Upload in Pyload

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

7.2HIGHNVD

CNA9.1

EPSS

4.0%

top 11.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pyload Pyload-ng Project Pyload-ng

Timeline

PublishedApr 26

Description

pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5pyload/pyload4.2.0

▶NVDpyload/pyload0.5.0

▶PyPIpyload-ng_project/pyload-ng0.5.0

🔴Vulnerability Details

CVEList

pyLoad allows upload to arbitrary folder lead to RCE↗2024-04-26

▶

OSV

pyLoad allows upload to arbitrary folder lead to RCE↗2024-04-24

▶

GHSA

pyLoad allows upload to arbitrary folder lead to RCE↗2024-04-24

▶