CVE-2024-21644 pyLoad unauthenticated flask configuration leakage

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRETKEY variable. This issue has been patched in version 0.5.0b3.dev77...

CVE-2024-21644 pyLoad unauthenticated flask configuration leakage

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRETKEY variable. This issue has been patched in version 0.5.0b3.dev77...

CVE-2024-21644 pyLoad unauthenticated flask configuration leakage

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRETKEY variable. This issue has been patched in version 0.5.0b3.dev77...

CVE-2024-21644

Affected software: pyLoad (Python-based download manager). Issue: Unauthenticated users can access the Flask configuration, including the SECRET_KEY, via a specific URL endpoint, due to improper access control in the web UI. Root cause / details: The vulnerability is triggered by a route that ren...

CVE-2024-21645

pyload is affected by a Log Injection vulnerability (CVE-2024-21645) that allows any unauthenticated actor to inject arbitrary log messages into pyload logs. The root cause is insufficient escaping of certain input (e.g., newline in username) which corrupts log entries. Impact: forged or corrupte...

CVE-2024-21645 pyLoad Log Injection

pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in pyload allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload. Forged or otherwise, corrupted log files can be used to cover an...

CVE-2024-21645 pyLoad Log Injection

pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in pyload allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload. Forged or otherwise, corrupted log files can be used to cover an...

CVE-2024-21645 pyLoad Log Injection

pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in pyload allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload. Forged or otherwise, corrupted log files can be used to cover an...

PT-2024-18994 · Pyload · Pyload

Name of the Vulnerable Software and Affected Versions: pyLoad versions prior to 0.5.0b3.dev77 Description: Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRET KEY variable. This issue allows attackers to access sensitive information, which could...

CVE-2023-47890

pyLoad 0.5.0 is vulnerable to Unrestricted File Upload...

pyload injection vulnerability

pyload is a free and open source download manager written in Python, designed to be extremely lightweight, easily extensible and fully manageable over the Web. An injection vulnerability exists in versions prior to pyLoad 0.5.0b3.dev76, which stems from the presence of a log injection vulnerabili...

CVE-2023-47890

pyLoad 0.5.0 is vulnerable to Unrestricted File Upload...

CVE-2023-47890

CVE-2023-47890 affects pyLoad 0.5.0 and describes an Unrestricted File Upload via the edit_package flow, enabling arbitrary filesystem writes and potential remote code execution. Public documents corroborate a path-traversal/unauthorized-folder issue in the Python-based pyLoad web UI, with PoCs a...

pyLoad Access Control Error Vulnerability

pyload is a free and open source download manager written in Python, designed to be extremely lightweight, easily extensible and fully manageable over the Web. An access control error vulnerability exists in versions prior to pyLoad 0.5.0b3.dev76, which stems from allowing an unauthenticated...

pyload Security Vulnerabilities

pyload is a free and open source download manager written in Python, designed to be extremely lightweight, easily extensible and fully manageable over the Web. A security vulnerability exists in pyLoad version 0.5.0 that stems from vulnerability to unrestricted file uploads...

Download to arbitrary folder can lead to RCE

Summary A web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts. Details When a user creates a new package, a subdirectory is created within the /downloads folder to store files. This new directory name is derived from the package name, except a...

GHSA-H73M-PCFW-25H2 Download to arbitrary folder can lead to RCE

Summary A web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts. Details When a user creates a new package, a subdirectory is created within the /downloads folder to store files. This new directory name is derived from the package name, except a...

PT-2023-30657 · Pyload · Pyload

Name of the Vulnerable Software and Affected Versions: pyLoad version 0.5.0 Description: The issue allows an authenticated user to upload files to arbitrary locations on the server, potentially leading to command execution by abusing scripts. When creating a new package, a subdirectory is created...

PyLoad 0.5.0 - Pre-auth Remote Code Execution Exploit

Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution RCE Credits: bAu @bauh0lz Exploit Author: Gabriel Lima 0xGabe Vendor Homepage: https://pyload.net/ Software Link: https://github.com/pyload/pyload Version: 0.5.0 Tested on: Ubuntu 20.04.6 CVE: CVE-2023-0297 import requests, argparse...

Exploit for Code Injection in Pyload

CVE-2023-0297 https:...