pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-01-17T23:48:31.422Z
Updated: 2024-01-17T23:48:31.422Z
Reserved: 2024-01-10T15:09:55.552Z
Link: CVE-2024-22416
JSON object: View
NVD Information
Status : Analyzed
Published: 2024-01-18T00:15:38.397
Modified: 2024-01-29T17:02:04.487
Link: CVE-2024-22416
JSON object: View
Redhat Information
No data.
CWE