GitHub_MCVELIST:CVE-2024-22416CVE-2024-22416 Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
48.6%
pyLoad is a free and open-source Download Manager written in pure Python. The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release 0.5.0b3.dev78. All users are advised to upgrade.
CNA Affected
[
{
"vendor": "pyload",
"product": "pyload",
"versions": [
{
"version": "< 0.5.0b3.dev78",
"status": "affected"
}
]
}
]Related
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
48.6%