CVE-2023-47890

Name of the Vulnerable Software and Affected Versions pyLoad version 0.5.0

Description The issue allows an authenticated user to upload files to arbitrary locations on the server, potentially leading to command execution by abusing scripts. When creating a new package, a subdirectory is created within the /downloads folder, but when editing packages, there is no prevention in place, allowing a user to pick any arbitrary directory in the filesystem. This can be exploited to gain remote control over the pyLoad server. An estimated number of potentially affected devices is not provided, and there is no information about real-world incidents where this issue was exploited.

Recommendations For pyLoad version 0.5.0, as a temporary workaround, consider restricting access to the edit package function in the json blueprint.py file to prevent users from setting arbitrary directories. Additionally, restrict access to the /config/scripts/ directory to minimize the risk of exploitation. Avoid using the pack folder parameter in the edit package function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.