CVE-2024-32880

Name of the Vulnerable Software and Affected Versions pyload (affected versions not specified)

Description An authenticated user can achieve remote code execution by changing the download folder and uploading a crafted template to that location. This is possible through the '/json/add package' endpoint using the add file parameter to upload a malicious file. The issue is triggered via the '/render/{filename}' endpoint, where the render() function processes the uploaded file, leading to Server-Side Template Injection (SSTI)—a vulnerability where an attacker injects malicious code into a template that is then executed on the server.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Restrict access to the '/json/add package' and '/render/{filename}' endpoints to minimize the risk of exploitation.