CVE-2024-22416: Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
(updated )
The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. This proof of concept shows how an unauthenticated user could trick the administrator’s browser into creating a new admin user.
References
- github.com/advisories/GHSA-pgpj-v85q-h5fm
- github.com/pyload/pyload
- github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e
- github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc
- github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm
- github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-17.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-22416
Detect and mitigate CVE-2024-22416 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →