Vulnerabilites related to pyload - pyload
Vulnerability from fkie_nvd
Published
2024-01-08 20:15
Modified
2024-11-21 08:30
Severity ?
Summary
pyLoad 0.5.0 is vulnerable to Unrestricted File Upload.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://pyload.com | Not Applicable | |
| cve@mitre.org | https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h2 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://pyload.com | Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h2 | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "E5A06D79-6D64-41FB-9040-17E9630DF4E9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "pyLoad 0.5.0 is vulnerable to Unrestricted File Upload.", }, { lang: "es", value: "pyLoad 0.5.0 es vulnerable a la carga de archivos sin restricciones.", }, ], id: "CVE-2023-47890", lastModified: "2024-11-21T08:30:57.770", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-01-08T20:15:44.453", references: [ { source: "cve@mitre.org", tags: [ "Not Applicable", ], url: "http://pyload.com", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "http://pyload.com", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h2", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-05 01:15
Modified
2024-11-21 07:36
Severity ?
Summary
Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/pyload/pyload/commit/bd2a31b7de54570b919aa1581d486e6ee18c0f64 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/12b64f91-d048-490c-94b0-37514b6d694d | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pyload/pyload/commit/bd2a31b7de54570b919aa1581d486e6ee18c0f64 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/12b64f91-d048-490c-94b0-37514b6d694d | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pyload | pyload | * | |
| pyload-ng_project | pyload-ng | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", matchCriteriaId: "E7EA254D-412B-4CE1-B078-ADC5AD328A7A", versionEndExcluding: "2023-01-05", vulnerable: true, }, { criteria: "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", matchCriteriaId: "BB4755AB-9AEB-4DC2-9EC8-C55756DC7D45", versionEndExcluding: "0.5.0b3.dev33", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33.", }, { lang: "es", value: "Restricción inadecuada de capas o marcos de interfaz de usuario renderizados en pyload/pyload del repositorio de GitHub antes de 0.5.0b3.dev33.", }, ], id: "CVE-2023-0057", lastModified: "2024-11-21T07:36:28.507", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", version: "3.0", }, exploitabilityScore: 1.6, impactScore: 1.4, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-05T01:15:09.123", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/bd2a31b7de54570b919aa1581d486e6ee18c0f64", }, { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/12b64f91-d048-490c-94b0-37514b6d694d", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/bd2a31b7de54570b919aa1581d486e6ee18c0f64", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/12b64f91-d048-490c-94b0-37514b6d694d", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-1021", }, ], source: "security@huntr.dev", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-14 03:15
Modified
2024-11-21 07:36
Severity ?
Summary
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", matchCriteriaId: "DACFA9B5-22AD-4BC6-87D5-8272FF49BD56", versionEndIncluding: "0.4.20", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.", }, { lang: "es", value: "Inyección de código en el repositorio de GitHub pyload/pyload anterior a 0.5.0b3.dev31.", }, ], id: "CVE-2023-0297", lastModified: "2024-11-21T07:36:55.160", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-14T03:15:18.800", references: [ { source: "security@huntr.dev", url: "http://packetstormsecurity.com/files/171096/pyLoad-js2py-Python-Execution.html", }, { source: "security@huntr.dev", url: "http://packetstormsecurity.com/files/172914/PyLoad-0.5.0-Remote-Code-Execution.html", }, { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/7d73ba7919e594d783b3411d7ddb87885aea782d", }, { source: "security@huntr.dev", tags: [ "Exploit", "Third Party Advisory", ], url: "https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://packetstormsecurity.com/files/171096/pyLoad-js2py-Python-Execution.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://packetstormsecurity.com/files/172914/PyLoad-0.5.0-Remote-Code-Execution.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/7d73ba7919e594d783b3411d7ddb87885aea782d", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-94", }, ], source: "security@huntr.dev", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-22 01:15
Modified
2024-11-21 07:37
Severity ?
Summary
Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/pyload/pyload/commit/a2b1eb1028f45ac58dea5f58593c1d3db2b4a104 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/7d9332d8-6997-483b-9fb9-bcf2ae01dad4 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pyload/pyload/commit/a2b1eb1028f45ac58dea5f58593c1d3db2b4a104 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/7d9332d8-6997-483b-9fb9-bcf2ae01dad4 | Exploit, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", matchCriteriaId: "71C7D7BA-743B-4C43-B77C-E6C1A6ACFE7E", versionEndIncluding: "0.4.9", vulnerable: true, }, { criteria: "cpe:2.3:a:pyload:pyload:0.5.0:beta1:*:*:*:*:*:*", matchCriteriaId: "3040B5C9-171B-40D9-83CB-CD529DC046ED", vulnerable: true, }, { criteria: "cpe:2.3:a:pyload:pyload:0.5.0:beta2:*:*:*:*:*:*", matchCriteriaId: "78FA70FC-0CFE-4E89-9274-1670E1204B61", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.", }, { lang: "es", value: "Validación de entrada incorrecta en pyload/pyload del repositorio de GitHub antes de 0.5.0b3.dev40.", }, ], id: "CVE-2023-0434", lastModified: "2024-11-21T07:37:10.390", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "PHYSICAL", availabilityImpact: "HIGH", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:P/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H", version: "3.0", }, exploitabilityScore: 0.2, impactScore: 5.2, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-22T01:15:10.183", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/a2b1eb1028f45ac58dea5f58593c1d3db2b4a104", }, { source: "security@huntr.dev", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/7d9332d8-6997-483b-9fb9-bcf2ae01dad4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/a2b1eb1028f45ac58dea5f58593c1d3db2b4a104", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/7d9332d8-6997-483b-9fb9-bcf2ae01dad4", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "security@huntr.dev", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-12 01:15
Modified
2024-11-21 07:36
Severity ?
Summary
Insufficient Session Expiration in GitHub repository pyload/pyload prior to 0.5.0b3.dev36.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/pyload/pyload/commit/c035714c0596b704b11af0f8a669352f128ad2d9 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/af3101d7-fea6-463a-b7e4-a48be219e31b | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pyload/pyload/commit/c035714c0596b704b11af0f8a669352f128ad2d9 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/af3101d7-fea6-463a-b7e4-a48be219e31b | Exploit, Issue Tracking, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", matchCriteriaId: "270B9386-E69E-44A1-943F-8EE757354530", versionEndExcluding: "2023-01-12", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Insufficient Session Expiration in GitHub repository pyload/pyload prior to 0.5.0b3.dev36.", }, { lang: "es", value: "Caducidad de sesión insuficiente en pyload/pyload del repositorio de GitHub anterior a 0.5.0b3.dev36.", }, ], id: "CVE-2023-0227", lastModified: "2024-11-21T07:36:46.873", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 5.5, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-12T01:15:10.020", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/c035714c0596b704b11af0f8a669352f128ad2d9", }, { source: "security@huntr.dev", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/af3101d7-fea6-463a-b7e4-a48be219e31b", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/c035714c0596b704b11af0f8a669352f128ad2d9", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/af3101d7-fea6-463a-b7e4-a48be219e31b", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-613", }, ], source: "security@huntr.dev", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-01-08 14:15
Modified
2024-11-21 08:54
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", matchCriteriaId: "71C7D7BA-743B-4C43-B77C-E6C1A6ACFE7E", versionEndIncluding: "0.4.9", vulnerable: true, }, { criteria: "cpe:2.3:a:pyload:pyload:0.5.0:beta1:*:*:*:*:*:*", matchCriteriaId: "3040B5C9-171B-40D9-83CB-CD529DC046ED", vulnerable: true, }, { criteria: "cpe:2.3:a:pyload:pyload:0.5.0:beta2:*:*:*:*:*:*", matchCriteriaId: "78FA70FC-0CFE-4E89-9274-1670E1204B61", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.\n", }, { lang: "es", value: "pyLoad es el administrador de descargas gratuito y de código abierto escrito en Python puro. Se identificó una vulnerabilidad de inyección de registros en \"pyload\" que permite a cualquier actor no autenticado inyectar mensajes arbitrarios en los registros recopilados por \"pyload\". Los archivos de registro corruptos, falsificados o no, se pueden utilizar para cubrir las huellas de un atacante o incluso para implicar a otra parte en la comisión de un acto malicioso. Esta vulnerabilidad ha sido parcheada en la versión 0.5.0b3.dev77.", }, ], id: "CVE-2024-21645", lastModified: "2024-11-21T08:54:47.520", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-01-08T14:15:47.420", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-74", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-04 22:15
Modified
2024-11-21 07:36
Severity ?
Summary
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/pyload/pyload/commit/7b53b8d43c2c072b457dcd19c8a09bcfc3721703 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/ed88e240-99ff-48a1-bf32-8e1ef5f13cce | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pyload/pyload/commit/7b53b8d43c2c072b457dcd19c8a09bcfc3721703 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/ed88e240-99ff-48a1-bf32-8e1ef5f13cce | Exploit, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "E5A06D79-6D64-41FB-9040-17E9630DF4E9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32.", }, { lang: "es", value: "Cookie confidencial en sesión HTTPS sin atributo 'seguro' en el repositorio de GitHub pyload/pyload anterior a 0.5.0b3.dev32.", }, ], id: "CVE-2023-0055", lastModified: "2024-11-21T07:36:28.260", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", version: "3.0", }, exploitabilityScore: 1.6, impactScore: 1.4, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-04T22:15:09.180", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/7b53b8d43c2c072b457dcd19c8a09bcfc3721703", }, { source: "security@huntr.dev", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/ed88e240-99ff-48a1-bf32-8e1ef5f13cce", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/7b53b8d43c2c072b457dcd19c8a09bcfc3721703", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/ed88e240-99ff-48a1-bf32-8e1ef5f13cce", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-614", }, ], source: "security@huntr.dev", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-319", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-11-15 11:15
Modified
2024-11-19 19:04
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Summary
An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this vulnerability to redirect users to malicious sites, which can be used for phishing or other malicious activities. The issue is fixed in pyload-ng 0.5.0b3.dev79.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "E5A06D79-6D64-41FB-9040-17E9630DF4E9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this vulnerability to redirect users to malicious sites, which can be used for phishing or other malicious activities. The issue is fixed in pyload-ng 0.5.0b3.dev79.", }, { lang: "es", value: "Existe una vulnerabilidad de redirección abierta en la versión 0.5.0 de pyload/pyload. La vulnerabilidad se debe a un manejo inadecuado del parámetro 'next' en la función de inicio de sesión. Un atacante puede aprovechar esta vulnerabilidad para redirigir a los usuarios a sitios maliciosos, que pueden usarse para suplantación de identidad u otras actividades maliciosas. El problema se solucionó en pyload-ng 0.5.0b3.dev79.", }, ], id: "CVE-2024-1240", lastModified: "2024-11-19T19:04:53.913", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.6, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", version: "3.0", }, exploitabilityScore: 2.1, impactScore: 2.5, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.6, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 2.5, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2024-11-15T11:15:10.773", references: [ { source: "security@huntr.dev", tags: [ "Patch", ], url: "https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd", }, { source: "security@huntr.dev", tags: [ "Exploit", "Third Party Advisory", ], url: "https://huntr.com/bounties/eef9513d-ccc3-4030-b574-374c5e7b887e", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-601", }, ], source: "security@huntr.dev", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-06 04:15
Modified
2024-11-21 08:59
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
pyLoad is an open-source Download Manager written in pure Python. There is an open redirect vulnerability due to incorrect validation of input values when redirecting users after login. pyLoad is validating URLs via the `get_redirect_url` function when redirecting users at login. This vulnerability has been patched with commit fe94451.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", matchCriteriaId: "9347973D-3989-4969-8721-8A55ABBE2F6E", versionEndIncluding: "0.5.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "pyLoad is an open-source Download Manager written in pure Python. There is an open redirect vulnerability due to incorrect validation of input values when redirecting users after login. pyLoad is validating URLs via the `get_redirect_url` function when redirecting users at login. This vulnerability has been patched with commit fe94451.", }, { lang: "es", value: "pyLoad es un administrador de descargas de código abierto escrito en Python puro. Existe una vulnerabilidad de redireccionamiento abierto debido a la validación incorrecta de los valores de entrada al redirigir a los usuarios después de iniciar sesión. pyLoad valida las URL a través de la función `get_redirect_url` cuando redirige a los usuarios al iniciar sesión. Esta vulnerabilidad se ha solucionado con el commit fe94451.", }, ], id: "CVE-2024-24808", lastModified: "2024-11-21T08:59:45.443", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-02-06T04:15:08.260", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-601", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-10-25 23:15
Modified
2025-03-05 15:50
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
2.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
2.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Summary
pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. Version 0.5.0b3.dev87 fixes this issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g | Exploit, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "E5A06D79-6D64-41FB-9040-17E9630DF4E9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. Version 0.5.0b3.dev87 fixes this issue.", }, { lang: "es", value: "pyLoad es un gestor de descargas gratuito y de código abierto. La carpeta `/.pyload/scripts` contiene scripts que se ejecutan cuando se completan determinadas acciones, por ejemplo, cuando finaliza una descarga. Al descargar un archivo ejecutable en una carpeta en /scripts y realizar la acción correspondiente, se puede lograr la ejecución remota de código en versiones de la rama 0.5 anteriores a 0.5.0b3.dev87. Se puede descargar un archivo en una carpeta de este tipo cambiando la carpeta de descarga a una carpeta en la ruta `/scripts` y utilizando la API `/flashgot` para descargar el archivo. Esta vulnerabilidad permite a un atacante con acceso cambiar la configuración en un servidor pyload para ejecutar código arbitrario y comprometer por completo el sistema. La versión 0.5.0b3.dev87 soluciona este problema.", }, ], id: "CVE-2024-47821", lastModified: "2025-03-05T15:50:58.480", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 2.3, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 0.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-10-25T23:15:02.530", references: [ { source: "security-advisories@github.com", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-78", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-26 22:15
Modified
2024-11-21 07:37
Severity ?
Summary
Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/a370e0c2-a41c-4871-ad91-bc6f31a8e839 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/a370e0c2-a41c-4871-ad91-bc6f31a8e839 | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pyload | pyload | * | |
| pyload-ng_project | pyload-ng | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", matchCriteriaId: "98C08F13-A3B4-424F-AB95-9CAEDC37D57F", versionEndExcluding: "2023-01-25", vulnerable: true, }, { criteria: "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", matchCriteriaId: "41241786-7E3F-4DAF-A391-913FAD3C3C45", versionEndExcluding: "0.5.0b3.dev44", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.", }, { lang: "es", value: "Validación de certificado incorrecta en pyload/pyload del repositorio de GitHub antes de 0.5.0b3.dev44.", }, ], id: "CVE-2023-0509", lastModified: "2024-11-21T07:37:18.937", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, exploitabilityScore: 2.2, impactScore: 5.2, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-26T22:15:26.993", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb", }, { source: "security@huntr.dev", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/a370e0c2-a41c-4871-ad91-bc6f31a8e839", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/a370e0c2-a41c-4871-ad91-bc6f31a8e839", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-295", }, ], source: "security@huntr.dev", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-22 22:15
Modified
2024-11-21 07:37
Severity ?
Summary
Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/pyload/pyload/commit/431ea6f0371d748df66b344a05ca1a8e0310cff3 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/a3e32ad5-caee-4f43-b10a-4a876d4e3f1d | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pyload/pyload/commit/431ea6f0371d748df66b344a05ca1a8e0310cff3 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/a3e32ad5-caee-4f43-b10a-4a876d4e3f1d | Exploit, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", matchCriteriaId: "DACFA9B5-22AD-4BC6-87D5-8272FF49BD56", versionEndIncluding: "0.4.20", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.", }, { lang: "es", value: "Superficie de ataque excesiva en pyload/pyload del repositorio de GitHub anterior a 0.5.0b3.dev41.", }, ], id: "CVE-2023-0435", lastModified: "2024-11-21T07:37:10.510", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.5, impactScore: 1.4, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-22T22:15:10.177", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/431ea6f0371d748df66b344a05ca1a8e0310cff3", }, { source: "security@huntr.dev", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/a3e32ad5-caee-4f43-b10a-4a876d4e3f1d", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/431ea6f0371d748df66b344a05ca1a8e0310cff3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/a3e32ad5-caee-4f43-b10a-4a876d4e3f1d", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-1125", }, ], source: "security@huntr.dev", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-26 22:15
Modified
2024-11-21 07:37
Severity ?
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/pyload/pyload/commit/46d75a3087f3237d06530d55998938e2e2bda6bd | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/4311d8d7-682c-4f2a-b92c-3f9f1a36255a | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pyload/pyload/commit/46d75a3087f3237d06530d55998938e2e2bda6bd | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/4311d8d7-682c-4f2a-b92c-3f9f1a36255a | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pyload | pyload | * | |
| pyload-ng_project | pyload-ng | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", matchCriteriaId: "C26DFAFC-CA1D-43C9-9A95-AFD844125513", versionEndExcluding: "2023-01-24", vulnerable: true, }, { criteria: "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", matchCriteriaId: "B3F0A14B-745C-440A-AC98-6DE3C517006F", versionEndExcluding: "0.5.0b3.dev42", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42.", }, { lang: "es", value: "Cross site scripting (XSS): almacenado en el repositorio de GitHub pyload/pyload anterior a 0.5.0b3.dev42.", }, ], id: "CVE-2023-0488", lastModified: "2024-11-21T07:37:16.667", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 6, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-26T22:15:26.727", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/46d75a3087f3237d06530d55998938e2e2bda6bd", }, { source: "security@huntr.dev", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/4311d8d7-682c-4f2a-b92c-3f9f1a36255a", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pyload/pyload/commit/46d75a3087f3237d06530d55998938e2e2bda6bd", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/4311d8d7-682c-4f2a-b92c-3f9f1a36255a", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "security@huntr.dev", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-01-08 14:15
Modified
2024-11-21 08:54
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", matchCriteriaId: "71C7D7BA-743B-4C43-B77C-E6C1A6ACFE7E", versionEndIncluding: "0.4.9", vulnerable: true, }, { criteria: "cpe:2.3:a:pyload:pyload:0.5.0:beta1:*:*:*:*:*:*", matchCriteriaId: "3040B5C9-171B-40D9-83CB-CD529DC046ED", vulnerable: true, }, { criteria: "cpe:2.3:a:pyload:pyload:0.5.0:beta2:*:*:*:*:*:*", matchCriteriaId: "78FA70FC-0CFE-4E89-9274-1670E1204B61", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.", }, { lang: "es", value: "pyLoad es el administrador de descargas gratuito y de código abierto escrito en Python puro. Cualquier usuario no autenticado puede navegar a una URL específica para exponer la configuración de Flask, incluida la variable `SECRET_KEY`. Este problema se solucionó en la versión 0.5.0b3.dev77.", }, ], id: "CVE-2024-21644", lastModified: "2024-11-21T08:54:47.407", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-01-08T14:15:47.217", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-284", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2023-0057
Vulnerability from cvelistv5
Published
2023-01-05 00:00
Modified
2024-08-02 04:54
Severity ?
EPSS score ?
Summary
Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Version: unspecified < 0.5.0b3.dev33 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:54:32.656Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://huntr.dev/bounties/12b64f91-d048-490c-94b0-37514b6d694d", }, { tags: [ "x_transferred", ], url: "https://github.com/pyload/pyload/commit/bd2a31b7de54570b919aa1581d486e6ee18c0f64", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "pyload/pyload", vendor: "pyload", versions: [ { lessThan: "0.5.0b3.dev33", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1021", description: "CWE-1021 Improper Restriction of Rendered UI Layers or Frames", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-05T00:00:00", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { url: "https://huntr.dev/bounties/12b64f91-d048-490c-94b0-37514b6d694d", }, { url: "https://github.com/pyload/pyload/commit/bd2a31b7de54570b919aa1581d486e6ee18c0f64", }, ], source: { advisory: "12b64f91-d048-490c-94b0-37514b6d694d", discovery: "EXTERNAL", }, title: "Improper Restriction of Rendered UI Layers or Frames in pyload/pyload", }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2023-0057", datePublished: "2023-01-05T00:00:00", dateReserved: "2023-01-04T00:00:00", dateUpdated: "2024-08-02T04:54:32.656Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47821
Vulnerability from cvelistv5
Published
2024-10-25 22:48
Modified
2024-10-28 19:41
Severity ?
EPSS score ?
Summary
pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. Version 0.5.0b3.dev87 fixes this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g | x_refsource_CONFIRM |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pyload", vendor: "pyload", versions: [ { lessThan: "0.5.0b3.dev87", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-47821", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-28T17:19:04.341270Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-28T19:41:54.018Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "pyload", vendor: "pyload", versions: [ { status: "affected", version: "< 0.5.0b3.dev87", }, ], }, ], descriptions: [ { lang: "en", value: "pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. Version 0.5.0b3.dev87 fixes this issue.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-78", description: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-10-28T12:25:11.974Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g", }, ], source: { advisory: "GHSA-w7hq-f2pj-c53g", discovery: "UNKNOWN", }, title: "pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-47821", datePublished: "2024-10-25T22:48:57.950Z", dateReserved: "2024-10-03T14:06:12.639Z", dateUpdated: "2024-10-28T19:41:54.018Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-32880
Vulnerability from cvelistv5
Published
2024-04-26 17:30
Modified
2024-08-02 02:20
Severity ?
EPSS score ?
Summary
pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f | x_refsource_CONFIRM |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:pyload:pyload:-:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pyload", vendor: "pyload", versions: [ { status: "affected", version: "*", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-32880", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-04-26T18:47:38.741143Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:51:11.607Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T02:20:35.649Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "pyload", vendor: "pyload", versions: [ { status: "affected", version: "<= 4.2.0", }, ], }, ], descriptions: [ { lang: "en", value: "pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-434", description: "CWE-434: Unrestricted Upload of File with Dangerous Type", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-04-26T17:30:24.685Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f", }, ], source: { advisory: "GHSA-3f7w-p8vr-4v5f", discovery: "UNKNOWN", }, title: "pyLoad allows upload to arbitrary folder lead to RCE", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-32880", datePublished: "2024-04-26T17:30:24.685Z", dateReserved: "2024-04-19T14:07:11.230Z", dateUpdated: "2024-08-02T02:20:35.649Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-0055
Vulnerability from cvelistv5
Published
2023-01-04 00:00
Modified
2024-08-02 04:54
Severity ?
EPSS score ?
Summary
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Version: unspecified < 0.5.0b3.dev32 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:54:32.575Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://huntr.dev/bounties/ed88e240-99ff-48a1-bf32-8e1ef5f13cce", }, { tags: [ "x_transferred", ], url: "https://github.com/pyload/pyload/commit/7b53b8d43c2c072b457dcd19c8a09bcfc3721703", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "pyload/pyload", vendor: "pyload", versions: [ { lessThan: "0.5.0b3.dev32", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-614", description: "CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-04T00:00:00", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { url: "https://huntr.dev/bounties/ed88e240-99ff-48a1-bf32-8e1ef5f13cce", }, { url: "https://github.com/pyload/pyload/commit/7b53b8d43c2c072b457dcd19c8a09bcfc3721703", }, ], source: { advisory: "ed88e240-99ff-48a1-bf32-8e1ef5f13cce", discovery: "EXTERNAL", }, title: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in pyload/pyload", }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2023-0055", datePublished: "2023-01-04T00:00:00", dateReserved: "2023-01-04T00:00:00", dateUpdated: "2024-08-02T04:54:32.575Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-0297
Vulnerability from cvelistv5
Published
2023-01-14 00:00
Modified
2024-08-02 05:10
Severity ?
EPSS score ?
Summary
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Version: unspecified < 0.5.0b3.dev31 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:10:54.945Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65", }, { tags: [ "x_transferred", ], url: "https://github.com/pyload/pyload/commit/7d73ba7919e594d783b3411d7ddb87885aea782d", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/171096/pyLoad-js2py-Python-Execution.html", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/172914/PyLoad-0.5.0-Remote-Code-Execution.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "pyload/pyload", vendor: "pyload", versions: [ { lessThan: "0.5.0b3.dev31", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94 Improper Control of Generation of Code", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-06-15T00:00:00", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { url: "https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65", }, { url: "https://github.com/pyload/pyload/commit/7d73ba7919e594d783b3411d7ddb87885aea782d", }, { url: "http://packetstormsecurity.com/files/171096/pyLoad-js2py-Python-Execution.html", }, { url: "http://packetstormsecurity.com/files/172914/PyLoad-0.5.0-Remote-Code-Execution.html", }, ], source: { advisory: "3fd606f7-83e1-4265-b083-2e1889a05e65", discovery: "EXTERNAL", }, title: " Code Injection in pyload/pyload", }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2023-0297", datePublished: "2023-01-14T00:00:00", dateReserved: "2023-01-14T00:00:00", dateUpdated: "2024-08-02T05:10:54.945Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-0227
Vulnerability from cvelistv5
Published
2023-01-12 00:00
Modified
2024-08-02 05:02
Severity ?
EPSS score ?
Summary
Insufficient Session Expiration in GitHub repository pyload/pyload prior to 0.5.0b3.dev36.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Version: unspecified < 0.5.0b3.dev36 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:02:43.912Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://huntr.dev/bounties/af3101d7-fea6-463a-b7e4-a48be219e31b", }, { tags: [ "x_transferred", ], url: "https://github.com/pyload/pyload/commit/c035714c0596b704b11af0f8a669352f128ad2d9", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "pyload/pyload", vendor: "pyload", versions: [ { lessThan: "0.5.0b3.dev36", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Insufficient Session Expiration in GitHub repository pyload/pyload prior to 0.5.0b3.dev36.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-613", description: "CWE-613 Insufficient Session Expiration", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-12T00:00:00", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { url: "https://huntr.dev/bounties/af3101d7-fea6-463a-b7e4-a48be219e31b", }, { url: "https://github.com/pyload/pyload/commit/c035714c0596b704b11af0f8a669352f128ad2d9", }, ], source: { advisory: "af3101d7-fea6-463a-b7e4-a48be219e31b", discovery: "EXTERNAL", }, title: "Insufficient Session Expiration in pyload/pyload", }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2023-0227", datePublished: "2023-01-12T00:00:00", dateReserved: "2023-01-12T00:00:00", dateUpdated: "2024-08-02T05:02:43.912Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-21644
Vulnerability from cvelistv5
Published
2024-01-08 13:20
Modified
2024-08-01 22:27
Severity ?
EPSS score ?
Summary
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv | x_refsource_CONFIRM | |
| https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T22:27:36.016Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv", }, { name: "https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "pyload", vendor: "pyload", versions: [ { status: "affected", version: "< 0.5.0b3.dev77", }, ], }, ], descriptions: [ { lang: "en", value: "pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-284", description: "CWE-284: Improper Access Control", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-08T13:20:55.182Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv", }, { name: "https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40", tags: [ "x_refsource_MISC", ], url: "https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40", }, ], source: { advisory: "GHSA-mqpq-2p68-46fv", discovery: "UNKNOWN", }, title: "pyLoad unauthenticated flask configuration leakage", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-21644", datePublished: "2024-01-08T13:20:55.182Z", dateReserved: "2023-12-29T03:00:44.958Z", dateUpdated: "2024-08-01T22:27:36.016Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-24808
Vulnerability from cvelistv5
Published
2024-02-06 03:17
Modified
2024-08-01 23:28
Severity ?
EPSS score ?
Summary
pyLoad is an open-source Download Manager written in pure Python. There is an open redirect vulnerability due to incorrect validation of input values when redirecting users after login. pyLoad is validating URLs via the `get_redirect_url` function when redirecting users at login. This vulnerability has been patched with commit fe94451.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5 | x_refsource_CONFIRM | |
| https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T23:28:12.795Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5", }, { name: "https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "pyload", vendor: "pyload", versions: [ { status: "affected", version: "<= 0.4.20", }, ], }, ], descriptions: [ { lang: "en", value: "pyLoad is an open-source Download Manager written in pure Python. There is an open redirect vulnerability due to incorrect validation of input values when redirecting users after login. pyLoad is validating URLs via the `get_redirect_url` function when redirecting users at login. This vulnerability has been patched with commit fe94451.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-601", description: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-06T03:17:16.532Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5", }, { name: "https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd", tags: [ "x_refsource_MISC", ], url: "https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd", }, ], source: { advisory: "GHSA-g3cm-qg2v-2hj5", discovery: "UNKNOWN", }, title: "pyLoad open redirect vulnerability due to improper validation of the is_safe_url function", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-24808", datePublished: "2024-02-06T03:17:16.532Z", dateReserved: "2024-01-31T16:28:17.941Z", dateUpdated: "2024-08-01T23:28:12.795Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-21645
Vulnerability from cvelistv5
Published
2024-01-08 13:20
Modified
2024-11-14 17:38
Severity ?
EPSS score ?
Summary
pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr | x_refsource_CONFIRM | |
| https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T22:27:35.862Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", }, { name: "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-21645", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-01-17T21:13:17.262265Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-14T17:38:32.866Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "pyload", vendor: "pyload", versions: [ { status: "affected", version: "< 0.5.0b3.dev77", }, ], }, ], descriptions: [ { lang: "en", value: "pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-74", description: "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-08T13:20:47.181Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", }, { name: "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", tags: [ "x_refsource_MISC", ], url: "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", }, ], source: { advisory: "GHSA-ghmw-rwh8-6qmr", discovery: "UNKNOWN", }, title: "pyLoad Log Injection", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-21645", datePublished: "2024-01-08T13:20:47.181Z", dateReserved: "2023-12-29T03:00:44.958Z", dateUpdated: "2024-11-14T17:38:32.866Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-47890
Vulnerability from cvelistv5
Published
2024-01-08 00:00
Modified
2024-08-02 21:16
Severity ?
EPSS score ?
Summary
pyLoad 0.5.0 is vulnerable to Unrestricted File Upload.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T21:16:43.988Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "http://pyload.com", }, { tags: [ "x_transferred", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h2", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "pyLoad 0.5.0 is vulnerable to Unrestricted File Upload.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-08T19:43:20.086661", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "http://pyload.com", }, { url: "https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h2", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2023-47890", datePublished: "2024-01-08T00:00:00", dateReserved: "2023-11-13T00:00:00", dateUpdated: "2024-08-02T21:16:43.988Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-0488
Vulnerability from cvelistv5
Published
2023-01-26 00:00
Modified
2025-03-31 16:47
Severity ?
EPSS score ?
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Version: unspecified < 0.5.0b3.dev42 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:10:56.446Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://huntr.dev/bounties/4311d8d7-682c-4f2a-b92c-3f9f1a36255a", }, { tags: [ "x_transferred", ], url: "https://github.com/pyload/pyload/commit/46d75a3087f3237d06530d55998938e2e2bda6bd", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0488", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-03-31T16:46:52.053308Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-31T16:47:00.638Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "pyload/pyload", vendor: "pyload", versions: [ { lessThan: "0.5.0b3.dev42", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-26T00:00:00.000Z", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { url: "https://huntr.dev/bounties/4311d8d7-682c-4f2a-b92c-3f9f1a36255a", }, { url: "https://github.com/pyload/pyload/commit/46d75a3087f3237d06530d55998938e2e2bda6bd", }, ], source: { advisory: "4311d8d7-682c-4f2a-b92c-3f9f1a36255a", discovery: "EXTERNAL", }, title: "Cross-site Scripting (XSS) - Stored in pyload/pyload", }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2023-0488", datePublished: "2023-01-26T00:00:00.000Z", dateReserved: "2023-01-25T00:00:00.000Z", dateUpdated: "2025-03-31T16:47:00.638Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-0509
Vulnerability from cvelistv5
Published
2023-01-26 00:00
Modified
2025-03-31 16:45
Severity ?
EPSS score ?
Summary
Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Version: unspecified < 0.5.0b3.dev44 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:17:49.018Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://huntr.dev/bounties/a370e0c2-a41c-4871-ad91-bc6f31a8e839", }, { tags: [ "x_transferred", ], url: "https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0509", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-03-31T16:45:22.563280Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-31T16:45:30.444Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "pyload/pyload", vendor: "pyload", versions: [ { lessThan: "0.5.0b3.dev44", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-295", description: "CWE-295 Improper Certificate Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-26T00:00:00.000Z", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { url: "https://huntr.dev/bounties/a370e0c2-a41c-4871-ad91-bc6f31a8e839", }, { url: "https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb", }, ], source: { advisory: "a370e0c2-a41c-4871-ad91-bc6f31a8e839", discovery: "EXTERNAL", }, title: "Improper Certificate Validation in pyload/pyload", }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2023-0509", datePublished: "2023-01-26T00:00:00.000Z", dateReserved: "2023-01-26T00:00:00.000Z", dateUpdated: "2025-03-31T16:45:30.444Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-22416
Vulnerability from cvelistv5
Published
2024-01-17 23:48
Modified
2024-08-01 22:43
Severity ?
EPSS score ?
Summary
pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm | x_refsource_CONFIRM | |
| https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e | x_refsource_MISC | |
| https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T22:43:34.922Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm", }, { name: "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e", }, { name: "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "pyload", vendor: "pyload", versions: [ { status: "affected", version: "< 0.5.0b3.dev78", }, ], }, ], descriptions: [ { lang: "en", value: "pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.7, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-352", description: "CWE-352: Cross-Site Request Forgery (CSRF)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-17T23:48:31.422Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm", }, { name: "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e", tags: [ "x_refsource_MISC", ], url: "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e", }, { name: "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc", tags: [ "x_refsource_MISC", ], url: "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc", }, ], source: { advisory: "GHSA-pgpj-v85q-h5fm", discovery: "UNKNOWN", }, title: "Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-22416", datePublished: "2024-01-17T23:48:31.422Z", dateReserved: "2024-01-10T15:09:55.552Z", dateUpdated: "2024-08-01T22:43:34.922Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-0435
Vulnerability from cvelistv5
Published
2023-01-22 00:00
Modified
2025-04-02 15:50
Severity ?
EPSS score ?
Summary
Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Version: unspecified < 0.5.0b3.dev41 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:10:56.243Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://huntr.dev/bounties/a3e32ad5-caee-4f43-b10a-4a876d4e3f1d", }, { tags: [ "x_transferred", ], url: "https://github.com/pyload/pyload/commit/431ea6f0371d748df66b344a05ca1a8e0310cff3", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0435", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-04-02T15:49:55.092645Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-02T15:50:20.297Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "pyload/pyload", vendor: "pyload", versions: [ { lessThan: "0.5.0b3.dev41", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1125", description: "CWE-1125 Excessive Attack Surface", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-22T00:00:00.000Z", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { url: "https://huntr.dev/bounties/a3e32ad5-caee-4f43-b10a-4a876d4e3f1d", }, { url: "https://github.com/pyload/pyload/commit/431ea6f0371d748df66b344a05ca1a8e0310cff3", }, ], source: { advisory: "a3e32ad5-caee-4f43-b10a-4a876d4e3f1d", discovery: "EXTERNAL", }, title: "Excessive Attack Surface in pyload/pyload", }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2023-0435", datePublished: "2023-01-22T00:00:00.000Z", dateReserved: "2023-01-22T00:00:00.000Z", dateUpdated: "2025-04-02T15:50:20.297Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-0434
Vulnerability from cvelistv5
Published
2023-01-22 00:00
Modified
2025-04-02 15:51
Severity ?
EPSS score ?
Summary
Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Version: unspecified < 0.5.0b3.dev40 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:10:56.001Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://huntr.dev/bounties/7d9332d8-6997-483b-9fb9-bcf2ae01dad4", }, { tags: [ "x_transferred", ], url: "https://github.com/pyload/pyload/commit/a2b1eb1028f45ac58dea5f58593c1d3db2b4a104", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0434", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-02T15:51:18.168203Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-02T15:51:41.649Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "pyload/pyload", vendor: "pyload", versions: [ { lessThan: "0.5.0b3.dev40", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "PHYSICAL", availabilityImpact: "HIGH", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:P/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-22T00:00:00.000Z", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { url: "https://huntr.dev/bounties/7d9332d8-6997-483b-9fb9-bcf2ae01dad4", }, { url: "https://github.com/pyload/pyload/commit/a2b1eb1028f45ac58dea5f58593c1d3db2b4a104", }, ], source: { advisory: "7d9332d8-6997-483b-9fb9-bcf2ae01dad4", discovery: "EXTERNAL", }, title: "Improper Input Validation in pyload/pyload", }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2023-0434", datePublished: "2023-01-22T00:00:00.000Z", dateReserved: "2023-01-21T00:00:00.000Z", dateUpdated: "2025-04-02T15:51:41.649Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-1240
Vulnerability from cvelistv5
Published
2024-11-15 10:57
Modified
2024-11-15 19:07
Severity ?
EPSS score ?
Summary
An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this vulnerability to redirect users to malicious sites, which can be used for phishing or other malicious activities. The issue is fixed in pyload-ng 0.5.0b3.dev79.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Version: unspecified < pyload-ng 0.5.0b3.dev79 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:payload:payload:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "payload", vendor: "payload", versions: [ { lessThan: "pyload-ng 0.5.0b3.dev79", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.6, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", version: "3.1", }, }, { other: { content: { id: "CVE-2024-1240", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-11-15T19:04:11.868290Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-15T19:07:26.471Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "pyload/pyload", vendor: "pyload", versions: [ { lessThan: "pyload-ng 0.5.0b3.dev79", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this vulnerability to redirect users to malicious sites, which can be used for phishing or other malicious activities. The issue is fixed in pyload-ng 0.5.0b3.dev79.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.6, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-601", description: "CWE-601 URL Redirection to Untrusted Site", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-15T10:57:07.797Z", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntr_ai", }, references: [ { url: "https://huntr.com/bounties/eef9513d-ccc3-4030-b574-374c5e7b887e", }, { url: "https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd", }, ], source: { advisory: "eef9513d-ccc3-4030-b574-374c5e7b887e", discovery: "EXTERNAL", }, title: "Open Redirection in pyload/pyload", }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntr_ai", cveId: "CVE-2024-1240", datePublished: "2024-11-15T10:57:07.797Z", dateReserved: "2024-02-05T22:31:20.037Z", dateUpdated: "2024-11-15T19:07:26.471Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }