CVE-2024-22416
Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
9.6
CRITICAL
CVSS 3.1
EPSS 5.9%
Description
pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.
How to fix CVE-2024-22416
To remediate CVE-2024-22416, upgrade the affected package to a fixed version below.
- —upgrade to 0.5.0b3.dev78 or later
- —upgrade to 1374c824271cb7e927740664d06d2e577624ca3e or later
Is CVE-2024-22416 being exploited?
Moderate — EPSS is 5.9%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 0.5.0b3.dev78
- from 0, < 1374c824271cb7e927740664d06d2e577624ca3e, < c7cdc18ad9134a75222974b39e8b427c4af845fc | from 0, < 0.5.0b3.dev78
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| osv | CVSS 3.1 | CRITICAL9.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |