CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 2CVE-2024-22416 – Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
https://notcve.org/view.php?id=CVE-2024-22416
pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. • https://github.com/mindstorm38/ensimag-secu3a-cve-2024-22416 https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 1CVE-2023-0509 – Improper Certificate Validation in pyload/pyload
https://notcve.org/view.php?id=CVE-2023-0509
Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44. Validación de certificado incorrecta en pyload/pyload del repositorio de GitHub antes de 0.5.0b3.dev44. • https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb https://huntr.dev/bounties/a370e0c2-a41c-4871-ad91-bc6f31a8e839 • CWE-295: Improper Certificate Validation •
CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 1CVE-2023-0488 – Cross-site Scripting (XSS) - Stored in pyload/pyload
https://notcve.org/view.php?id=CVE-2023-0488
Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42. Cross site scripting (XSS): almacenado en el repositorio de GitHub pyload/pyload anterior a 0.5.0b3.dev42. • https://github.com/pyload/pyload/commit/46d75a3087f3237d06530d55998938e2e2bda6bd https://huntr.dev/bounties/4311d8d7-682c-4f2a-b92c-3f9f1a36255a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0057 – Improper Restriction of Rendered UI Layers or Frames in pyload/pyload
https://notcve.org/view.php?id=CVE-2023-0057
Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33. Restricción inadecuada de capas o marcos de interfaz de usuario renderizados en pyload/pyload del repositorio de GitHub antes de 0.5.0b3.dev33. • https://github.com/pyload/pyload/commit/bd2a31b7de54570b919aa1581d486e6ee18c0f64 https://huntr.dev/bounties/12b64f91-d048-490c-94b0-37514b6d694d • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •