CVE-2024-21644

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev77

Description Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRET KEY variable. This issue allows attackers to access sensitive information, which could have detrimental consequences for security. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 0.5.0b3.dev77, update to version 0.5.0b3.dev77 or later to resolve the issue. As a temporary workaround, consider restricting access to the /render/info.html endpoint to minimize the risk of exploitation. Avoid using the SECRET KEY variable in the affected API endpoint until the issue is resolved.