CVE-2024-32880: pyLoad allows upload to arbitrary folder lead to RCE

April 24, 2024

An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution

References

github.com/advisories/GHSA-3f7w-p8vr-4v5f
github.com/pyload/pyload
github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f
nvd.nist.gov/vuln/detail/CVE-2024-32880

Detect and mitigate CVE-2024-32880 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →