Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
CVE-2024-22416
9.7CRITICAL
Key Information:
Badges
๐พ Exploit Exists๐ก Public PoC
What is CVE-2024-22416?
The pyLoad download manager, an open-source application developed in Python, has a vulnerability that enables Cross-Site Request Forgery (CSRF) attacks due to the lack of 'SameSite: strict' settings on session cookies. This flaw allows an unauthenticated user to execute any API call, potentially leading to unauthorized actions on behalf of the user. The vulnerability was addressed in version 0.5.0b3.dev78, and users are highly recommended to upgrade to protect against possible exploits.
Affected Version(s)
pyload < 0.5.0b3.dev78
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
