CVE-2024-47821 — OS Command Injection in Pyload

CWE-78 — OS Command Injection4 documents4 sources

Severity

2.3LOWNVD

CNA9.1

EPSS

1.8%

top 17.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pyload Pyload-ng Project Pyload-ng

Timeline

PublishedOct 25

Latest updateOct 28

Description

pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 0.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5pyload/pyload< 0.5.0b3.dev87

▶PyPIpyload-ng_project/pyload-ng< 0.5.0b3.dev87

▶NVDpyload/pyload0.5.0

🔴Vulnerability Details

OSV

pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API↗2024-10-28

▶

GHSA

pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API↗2024-10-28

▶

CVEList

pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API↗2024-10-25

▶