Vulnerability Details CVE-2024-22416
pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.059
EPSS Ranking 90.2%
CVSS Severity
CVSS v3 Score 9.6
References
- https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e
- https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc
- https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm
- https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e
- https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc
- https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm
Products affected by CVE-2024-22416
-
cpe:2.3:a:pyload-ng_project:pyload-ng:-
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev528
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev532
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev535
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev536
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev537
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev539
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev540
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev545
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev562
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev564
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev565
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a6.dev570
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a6.dev578
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a6.dev587
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a7.dev596
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a8.dev602
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev615
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev629
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev632
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev641
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev643
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev655
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev806
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev1
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev2
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev3
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev4
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev5
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev10
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev11
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev12
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev9
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev13
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev14
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev17
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev18
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev19
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev20
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev21
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev22
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev24
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev26
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev27
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev28
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev29
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev30
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev31
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev32
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev33
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev34
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev35
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev38
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev39
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev40
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev41
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev42
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev43
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev44
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev45
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev46
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev47