Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
CVE-2024-22416

9.7CRITICAL

Key Information:

Vendor

Pyload

Status
Pyload
Vendor
CVE Published:
18 January 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-22416?

The pyLoad download manager, an open-source application developed in Python, has a vulnerability that enables Cross-Site Request Forgery (CSRF) attacks due to the lack of 'SameSite: strict' settings on session cookies. This flaw allows an unauthenticated user to execute any API call, potentially leading to unauthorized actions on behalf of the user. The vulnerability was addressed in version 0.5.0b3.dev78, and users are highly recommended to upgrade to protect against possible exploits.

Affected Version(s)

pyload < 0.5.0b3.dev78

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

ensimag-secu3a-cve-2024-22416
Created by mindstorm38

References

https://github.com/pyload/pyload/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/pyload/pyload/commit/1374c824271cb7e92...
x_refsource_MISC
https://github.com/pyload/pyload/commit/c7cdc18ad9134a752...
x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.7
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-22416 : Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation