Marven11

**Name of the Vulnerable Software and Affected Versions** pyload-ng version 0.5.0b3.dev85 pyload (running under python3.11 or below) **Description** The issue is related to insufficient input validation in the pyload software, allowing a remote attacker to execute arbitrary code by sending a specially crafted HTTP request. This can be achieved through a manipulated HTTP request, potentially leading to code execution. The estimated number of potentially affected devices worldwide is not specified. **Recommendations** For pyload-ng version 0.5.0b3.dev85, consider disabling the vulnerable function until a patch is available. For pyload running under python3.11 or below, restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the vulnerable API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** js2py versions prior to 0.74 python-Js2Py versions prior to 0.74-3.1 (openSUSE Tumbleweed) pyload-ng versions less than or equal to 0.5.0b3.dev85 (when used with Python 3.11 or below) **Description** A sandbox escape issue exists in the `js2py.disable pyimport()` component of js2py, allowing attackers to execute arbitrary code via a crafted API call. This vulnerability, identified as CVE-2024-28397, can be exploited by sending a malicious JavaScript payload to the application. The vulnerability allows bypassing sandbox restrictions and executing commands on the system. The pyload-ng application, when using js2py with Python 3.11 or below, is vulnerable through its `/flash/addcrypted2` API endpoint. An attacker can bypass localhost restrictions using HTTP headers to access this endpoint and achieve Remote Code Execution (RCE). Millions of Python users are potentially affected, as js2py is a widely used library with over 1 million monthly downloads. **Recommendations** js2py versions prior to 0.74: Upgrade to a newer version that addresses this vulnerability. python-Js2Py versions prior to 0.74-3.1 (openSUSE Tumbleweed): Upgrade to version 0.74-3.1 or later. pyload-ng versions less than or equal to 0.5.0b3.dev85 (when used with Python 3.11 or below): Upgrade to a newer version of pyload-ng that addresses this vulnerability or use Python 3.12 or above.