CVE-2024-22416

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev78

Description The issue is related to a Cross-Site Request Forgery (CSRF) attack. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities. Any API call can be made via a CSRF attack by an unauthenticated user. For example, an attacker can trick an administrator into visiting a malicious page, which can make a request to /api/add user/ and add a new administrator to the pyload application.

Recommendations For versions prior to 0.5.0b3.dev78, upgrade to release 0.5.0b3.dev78 or later to address the issue. As a temporary workaround, consider restricting access to the pyload API to minimize the risk of exploitation. Avoid using the pyload API until the issue is resolved.