CVE-2024-32880 (GCVE-0-2024-32880)
Vulnerability from cvelistv5 – Published: 2024-04-26 17:30 – Updated: 2024-08-02 02:20
VLAI?
Summary
pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.
Severity ?
9.1 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pyload:pyload:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-26T18:47:38.741143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:51:11.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T17:30:24.685Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f"
}
],
"source": {
"advisory": "GHSA-3f7w-p8vr-4v5f",
"discovery": "UNKNOWN"
},
"title": "pyLoad allows upload to arbitrary folder lead to RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32880",
"datePublished": "2024-04-26T17:30:24.685Z",
"dateReserved": "2024-04-19T14:07:11.230Z",
"dateUpdated": "2024-08-02T02:20:35.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.\"}, {\"lang\": \"es\", \"value\": \"pyload es un administrador de descargas de c\\u00f3digo abierto escrito en Python puro. Un usuario autenticado puede cambiar la carpeta de descarga y cargar una plantilla manipulada en la carpeta especificada, lo que lleva a la ejecuci\\u00f3n remota del c\\u00f3digo. No hay ninguna soluci\\u00f3n disponible en el momento de la publicaci\\u00f3n.\"}]",
"id": "CVE-2024-32880",
"lastModified": "2024-11-21T09:15:55.643",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 6.0}]}",
"published": "2024-04-26T18:15:45.970",
"references": "[{\"url\": \"https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-434\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-32880\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-04-26T18:15:45.970\",\"lastModified\":\"2025-09-04T14:23:51.593\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.\"},{\"lang\":\"es\",\"value\":\"pyload es un administrador de descargas de c\u00f3digo abierto escrito en Python puro. Un usuario autenticado puede cambiar la carpeta de descarga y cargar una plantilla manipulada en la carpeta especificada, lo que lleva a la ejecuci\u00f3n remota del c\u00f3digo. No hay ninguna soluci\u00f3n disponible en el momento de la publicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"0.5.0\",\"matchCriteriaId\":\"9347973D-3989-4969-8721-8A55ABBE2F6E\"}]}]}],\"references\":[{\"url\":\"https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"pyLoad allows upload to arbitrary folder lead to RCE\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-434\", \"lang\": \"en\", \"description\": \"CWE-434: Unrestricted Upload of File with Dangerous Type\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"scope\": \"CHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f\"}], \"affected\": [{\"vendor\": \"pyload\", \"product\": \"pyload\", \"versions\": [{\"version\": \"\u003c= 4.2.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-04-26T17:30:24.685Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.\"}], \"source\": {\"advisory\": \"GHSA-3f7w-p8vr-4v5f\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-32880\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-26T18:47:38.741143Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:pyload:pyload:-:*:*:*:*:*:*:*\"], \"vendor\": \"pyload\", \"product\": \"pyload\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-04-26T18:45:47.257Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
"cveMetadata": "{\"cveId\": \"CVE-2024-32880\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-04-19T14:07:11.230Z\", \"datePublished\": \"2024-04-26T17:30:24.685Z\", \"dateUpdated\": \"2024-06-04T17:51:11.607Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-3F7W-P8VR-4V5F
Vulnerability from github – Published: 2024-04-24 21:16 – Updated: 2024-04-26 18:51
VLAI?
Summary
pyLoad allows upload to arbitrary folder lead to RCE
Details
Summary
An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution
Details
example version: 0.5 file:src/pyload/webui/app/blueprints/app_blueprint.py
@bp.route("/render/<path:filename>", endpoint="render")
def render(filename):
mimetype = mimetypes.guess_type(filename)[0] or "text/html"
data = render_template(filename)
return flask.Response(data, mimetype=mimetype)
So, if we can control file in the path "pyload/webui/app/templates" in latest version and path in "module/web/media/js"(the difference is the older version0.4.20 only renders file with extension name ".js"), the render_template func will works like SSTI(server-side template injection) when render the evil file we control.
in /settings page and the choose option general/general, where we can change the download folder.
Also, we can find the pyLoad install folder in /info page
So, we can change the value of Download folder to the template path. Then through /json/add_package we can upload a crafted template file to RCE.
@bp.route("/json/add_package", methods=["POST"], endpoint="add_package")
# @apiver_check
@login_required("ADD")
def add_package():
api = flask.current_app.config["PYLOAD_API"]
package_name = flask.request.form.get("add_name", "New Package").strip()
queue = int(flask.request.form["add_dest"])
links = [l.strip() for l in flask.request.form["add_links"].splitlines()]
pw = flask.request.form.get("add_password", "").strip("\n\r")
try:
file = flask.request.files["add_file"]
if file.filename:
if not package_name or package_name == "New Package":
package_name = file.filename
file_path = os.path.join(
api.get_config_value("general", "storage_folder"), "tmp_" + file.filename
)
file.save(file_path)
links.insert(0, file_path)
except Exception:
pass
urls = [url for url in links if url.strip()]
pack = api.add_package(package_name, urls, queue)
if pw:
data = {"password": pw}
api.set_package_data(pack, data)
return jsonify(True)
PoC
First login into the admin page, then visit the info page to get the path of pyload installation folder. Second, change the download folder to PYLOAD_INSTALL_DIR/ webui/app/templates/ Third, upload crafted template file through /json/add_package through parameter add_file the content of crafted template file and its filename is "341.html":
{{x.__init__.__globals__['__builtins__']['eval']("__import__('os').popen('whoami').read()")}}
Last, visit http://TARGET/render/tmp_341.html to trigger the RCE
Impact
It is a RCE vulnerability and I think it affects all versions. In earlier version 0.4.20, the trigger difference is the pyload installation folder path difference and the upload file must with extension ".js" . The render js code in version 0.4.20:
@route("/media/js/<path:re:.+\.js>")
def js_dynamic(path):
response.headers['Expires'] = time.strftime("%a, %d %b %Y %H:%M:%S GMT",
time.gmtime(time.time() + 60 * 60 * 24 * 2))
response.headers['Cache-control'] = "public"
response.headers['Content-Type'] = "text/javascript; charset=UTF-8"
try:
# static files are not rendered
if "static" not in path and "mootools" not in path:
t = env.get_template("js/%s" % path)
return t.render()
else:
return static_file(path, root=join(PROJECT_DIR, "media", "js"))
except:
return HTTPError(404, "Not Found")
Severity ?
9.1 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyload-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-32880"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-24T21:16:59Z",
"nvd_published_at": "2024-04-26T18:15:45Z",
"severity": "CRITICAL"
},
"details": "### Summary\nAn authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution\n\n### Details\nexample version: 0.5\nfile:src/pyload/webui/app/blueprints/app_blueprint.py\n```python\n@bp.route(\"/render/\u003cpath:filename\u003e\", endpoint=\"render\")\ndef render(filename):\n mimetype = mimetypes.guess_type(filename)[0] or \"text/html\"\n data = render_template(filename)\n return flask.Response(data, mimetype=mimetype)\n```\nSo, if we can control file in the path \"pyload/webui/app/templates\" in latest version and path in \"module/web/media/js\"(the difference is the older version0.4.20 only renders file with extension name \".js\"), the render_template func will works like SSTI(server-side template injection) when render the evil file we control.\n\nin /settings page and the choose option general/general, where we can change the download folder. \n\n\nAlso, we can find the pyLoad install folder in /info page\n\nSo, we can change the value of Download folder to the template path. Then through /json/add_package we can upload a crafted template file to RCE.\n```python\n@bp.route(\"/json/add_package\", methods=[\"POST\"], endpoint=\"add_package\")\n# @apiver_check\n@login_required(\"ADD\")\ndef add_package():\n api = flask.current_app.config[\"PYLOAD_API\"]\n\n package_name = flask.request.form.get(\"add_name\", \"New Package\").strip()\n queue = int(flask.request.form[\"add_dest\"])\n links = [l.strip() for l in flask.request.form[\"add_links\"].splitlines()]\n pw = flask.request.form.get(\"add_password\", \"\").strip(\"\\n\\r\")\n\n try:\n file = flask.request.files[\"add_file\"]\n\n if file.filename:\n if not package_name or package_name == \"New Package\":\n package_name = file.filename\n\n file_path = os.path.join(\n api.get_config_value(\"general\", \"storage_folder\"), \"tmp_\" + file.filename\n )\n file.save(file_path)\n links.insert(0, file_path)\n\n except Exception:\n pass\n\n urls = [url for url in links if url.strip()]\n pack = api.add_package(package_name, urls, queue)\n if pw:\n data = {\"password\": pw}\n api.set_package_data(pack, data)\n\n return jsonify(True)\n```\n### PoC\nFirst login into the admin page, then visit the info page to get the path of pyload installation folder.\nSecond, change the download folder to PYLOAD_INSTALL_DIR/ webui/app/templates/\nThird, upload crafted template file through /json/add_package through parameter add_file\nthe content of crafted template file and its filename is \"341.html\":\n```\n{{x.__init__.__globals__[\u0027__builtins__\u0027][\u0027eval\u0027](\"__import__(\u0027os\u0027).popen(\u0027whoami\u0027).read()\")}}\n```\n\nLast, visit http://TARGET/render/tmp_341.html to trigger the RCE\n\n\n\n### Impact\nIt is a RCE vulnerability and I think it affects all versions. In earlier version 0.4.20, the trigger difference is the pyload installation folder path difference and the upload file must with extension \".js\" .\nThe render js code in version 0.4.20:\n```python\n@route(\"/media/js/\u003cpath:re:.+\\.js\u003e\")\ndef js_dynamic(path):\n response.headers[\u0027Expires\u0027] = time.strftime(\"%a, %d %b %Y %H:%M:%S GMT\",\n time.gmtime(time.time() + 60 * 60 * 24 * 2))\n response.headers[\u0027Cache-control\u0027] = \"public\"\n response.headers[\u0027Content-Type\u0027] = \"text/javascript; charset=UTF-8\"\n\n try:\n # static files are not rendered\n if \"static\" not in path and \"mootools\" not in path:\n t = env.get_template(\"js/%s\" % path)\n return t.render()\n else:\n return static_file(path, root=join(PROJECT_DIR, \"media\", \"js\"))\n except:\n return HTTPError(404, \"Not Found\")\n```",
"id": "GHSA-3f7w-p8vr-4v5f",
"modified": "2024-04-26T18:51:15Z",
"published": "2024-04-24T21:16:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32880"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyload/pyload"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "pyLoad allows upload to arbitrary folder lead to RCE"
}
GSD-2024-32880
Vulnerability from gsd - Updated: 2024-04-20 05:02Details
pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-32880"
],
"details": "pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.",
"id": "GSD-2024-32880",
"modified": "2024-04-20T05:02:00.467829Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2024-32880",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "pyload",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003c= 4.2.0"
}
]
}
}
]
},
"vendor_name": "pyload"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-434",
"lang": "eng",
"value": "CWE-434: Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f",
"refsource": "MISC",
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f"
}
]
},
"source": {
"advisory": "GHSA-3f7w-p8vr-4v5f",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"cve": {
"descriptions": [
{
"lang": "en",
"value": "pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication."
}
],
"id": "CVE-2024-32880",
"lastModified": "2024-04-26T19:59:19.793",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-04-26T18:15:45.970",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
}
}
}
FKIE_CVE-2024-32880
Vulnerability from fkie_nvd - Published: 2024-04-26 18:15 - Updated: 2025-09-04 14:23
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f | Exploit, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9347973D-3989-4969-8721-8A55ABBE2F6E",
"versionEndIncluding": "0.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication."
},
{
"lang": "es",
"value": "pyload es un administrador de descargas de c\u00f3digo abierto escrito en Python puro. Un usuario autenticado puede cambiar la carpeta de descarga y cargar una plantilla manipulada en la carpeta especificada, lo que lleva a la ejecuci\u00f3n remota del c\u00f3digo. No hay ninguna soluci\u00f3n disponible en el momento de la publicaci\u00f3n."
}
],
"id": "CVE-2024-32880",
"lastModified": "2025-09-04T14:23:51.593",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-26T18:15:45.970",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…