CVE-2024-22416

Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.

pyLoad es un administrador de descargas gratuito y de código abierto escrito en Python puro. La API `pyload` permite realizar cualquier llamada a la API mediante solicitudes GET. Dado que la cookie de sesión no está configurada en "SameSite: strict", esto abre la librería a graves posibilidades de ataque a través de un ataque de Cross-Site Request Forgery (CSRF). Como resultado, cualquier llamada a la API puede realizarse mediante un ataque CSRF por parte de un usuario no autenticado. Este problema se solucionó en la versión `0.5.0b3.dev78`. Se recomienda a todos los usuarios que actualicen.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-01-10 CVE Reserved
2024-01-17 CVE Published
2024-01-19 First Exploit
2024-08-01 CVE Updated
2024-10-07 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC
https://github.com/mindstorm38/ensimag-secu3a-cve-2024-22416	2024-01-19
https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm	2024-08-01

URL	Date	SRC
https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e	2024-01-29
https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc	2024-01-29

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pyload-ng Project Search vendor "Pyload-ng Project"		Pyload-ng Search vendor "Pyload-ng Project" for product "Pyload-ng"				< 0.5.0b3.dev78 Search vendor "Pyload-ng Project" for product "Pyload-ng" and version " < 0.5.0b3.dev78"		python		Affected