Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
CVE-2024-22416

8.8HIGH

Key Information:

Vendor
pyload
Status
pyload
Vendor
CVE Published:
18 January 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The pyLoad download manager, an open-source application developed in Python, has a vulnerability that enables Cross-Site Request Forgery (CSRF) attacks due to the lack of 'SameSite: strict' settings on session cookies. This flaw allows an unauthenticated user to execute any API call, potentially leading to unauthorized actions on behalf of the user. The vulnerability was addressed in version 0.5.0b3.dev78, and users are highly recommended to upgrade to protect against possible exploits.

Affected Version(s)

pyload < 0.5.0b3.dev78

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

ensimag-secu3a-cve-2024-22416
Created by mindstorm38

References

https://github.com/pyload/pyload/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/pyload/pyload/commit/1374c824271cb7e92...
x_refsource_MISC
https://github.com/pyload/pyload/commit/c7cdc18ad9134a752...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.