Lucene search

[email protected]NVD:CVE-2024-22416

HistoryJan 18, 2024 - 12:15 a.m.

CVE-2024-22416

2024-01-1800:15:38

CWE-352

[email protected]

web.nvd.nist.gov

cve-2024-22416

pyload

download manager

csrf attack

python

open-source

severe attack

samesite

upgrade

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.001

Percentile

29.5%

JSON

pyLoad is a free and open-source Download Manager written in pure Python. The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release 0.5.0b3.dev78. All users are advised to upgrade.

Affected configurations

Nvd

Node

pyload-ng_projectpyload-ngRange<0.5.0b3.dev78python

VendorProductVersionCPE
pyload-ng_projectpyload-ng*cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*

Vendor	Product	Version	CPE
pyload-ng_project	pyload-ng	*	cpe:2.3:a:pyload-ng_project:pyload-ng::::::python::*

References

github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e

github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc

github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.001

Percentile

29.5%

JSON

Related for NVD:CVE-2024-22416

githubexploit1 github1 osv3 cvelist1 prion1 cve1 veracode1