CVE-2024-22416 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-22416

CVE-2024-22416

January 17, 2024

pyLoad is a free and open-source Download Manager written in pure Python. The "pyload" API allows any API call to be made using GET requests. Since the session cookie is not set to "SameSite: strict", this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release "0.5.0b3.dev78". All users are advised to upgrade.

Affected Packages

pyload-ng (PYTHON):

Affected version(s) >=0.5.0a5.dev528 <0.5.0b3.dev78

Fix Suggestion:

Update to version 0.5.0b3.dev78

Additional Notes

The description of this vulnerability differs from MITRE.

Related Resources (6)

https://nvd.nist.gov/vuln/detail/CVE-2024-22416

https://github.com/pyload/pyload

https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e

https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-17.yaml

https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc

https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm

Do you need more information?

CVSS v4

Base Score:

9.4

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

HIGH

Subsequent System Integrity

HIGH

Subsequent System Availability

HIGH

CVSS v3

Base Score:

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

EPSS

Base Score:

5.90

Products

Solutions

Resources

Company

Compare

Developer Tools