CVE-2024-22416

Опубликовано: 18 янв. 2024

Источник: nvd

CVSS3: 9.6

CVSS3: 8.8

EPSS Низкий

Описание

pyLoad is a free and open-source Download Manager written in pure Python. The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release 0.5.0b3.dev78. All users are advised to upgrade.

Ссылки

https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e
Patch
https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc
Patch
https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm
Exploit
Third Party Advisory
https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e
Patch
https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc
Patch
https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*

Версия до 0.5.0b3.dev78 (исключая)

EPSS

Процентиль: 90%

0.05898

Низкий

9.6 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-352

Связанные уязвимости

CVE-2024-22416

CVSS3: 9.6

debian

около 2 лет назад

pyLoad is a free and open-source Download Manager written in pure Pyth ...

GHSA-pgpj-v85q-h5fm

CVSS3: 9.6

github

около 2 лет назад

Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation

BDU:2024-01075

CVSS3: 8.8

fstec

около 3 лет назад

Уязвимость программного обеспечения для загрузки файлов pyload, связанная с подделкой межсайтовых запросов, позволяющая нарушителю осуществить CSRF-атаку

EPSS

Процентиль: 90%

0.05898

Низкий

9.6 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-352