PYSEC-2024-17

pyLoad is a free and open-source Download Manager written in pure Python. The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery CSRF attac...

PYSEC-2024-17

pyLoad is a free and open-source Download Manager written in pure Python. The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery CSRF attac...

The vulnerability of software for downloading pyload files is related to improper restrictions on the number of displayed layers or frames in the user interface. This allows a perpetrator to carry out a clickjacking attack.

The vulnerability of the software for downloading pyload files is related to improper restrictions on the number of layers or frames that can be displayed in the user interface. Exploiting this vulnerability allows a remote attacker to carry out a clickjacking attack...

CVE-2024-22416 Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation

pyLoad is a free and open-source Download Manager written in pure Python. The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery CSRF attac...

CVE-2024-22416 Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation

pyLoad is a free and open-source Download Manager written in pure Python. The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery CSRF attac...

CVE-2024-22416 Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation

pyLoad is a free and open-source Download Manager written in pure Python. The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery CSRF attac...

CVE-2024-22416

Affected software: pyLoad (Python-based download manager). Vulnerability: CSRF in the pyload API where GET requests can be used without SameSite cookie protection, allowing any API call by an unauthenticated user. This has been addressed in release 0.5.0b3.dev78, and all users are advised to upgr...

pyload Cross-Site Request Forgery Vulnerability

pyload is a free and open source download manager written in Python, designed to be extremely lightweight, easily extensible and fully manageable over the Web. pyload is a free and open source download manager written in Python, designed to be extremely lightweight, easily extensible and fully...

Log Injection

pyload-ng is vulnerable to Log Injection. The vulnerability is caused due to a lack of validation while logging an error in apiblueprint.py and appblueprint.py. An attacker can corrupt log files exploiting this vulnerability...

Information Disclosure

pyload-ng is vulnerable to Unauthenticated Information Disclosure. The vulnerability is due to improper authorization and authentication checks. This issue can be exploited by an attacker to disclose sensitive information such as Flask configurations, which includes the SECRETKEY variable...

CVE-2023-47890

pyLoad 0.5.0 is vulnerable to Unrestricted File Upload...

CVE-2023-47890

pyLoad 0.5.0 is vulnerable to Unrestricted File Upload...

Unrestricted file upload

pyLoad 0.5.0 is vulnerable to Unrestricted File Upload...

GHSA-MQPQ-2P68-46FV pyload Unauthenticated Flask Configuration Leakage vulnerability

Summary Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRETKEY variable. Details Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRETKEY variable. PoC Run pyload in the default configuration by...

GHSA-GHMW-RWH8-6QMR pyload Log Injection vulnerability

Summary A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload. Details pyload will generate a log entry when attempting to sign in with faulty credentials. This entry will be in the...

pyload Log Injection vulnerability

Summary A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload. Details pyload will generate a log entry when attempting to sign in with faulty credentials. This entry will be in the...

CVE-2024-21644

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRETKEY variable. This issue has been patched in version 0.5.0b3.dev77...

CVE-2024-21645

pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in pyload allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload. Forged or otherwise, corrupted log files can be used to cover an...

Design/Logic Flaw

pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in pyload allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload. Forged or otherwise, corrupted log files can be used to cover an...

Design/Logic Flaw

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRETKEY variable. This issue has been patched in version 0.5.0b3.dev77...