CVE-2024-47821

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev87

Description The vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. This is achieved by downloading an executable file to a folder in /scripts and performing the respective action, which triggers the execution of scripts in that folder. The /flashgot API endpoint can be used to download the file by changing the download folder to a folder in the /scripts path.

Recommendations For versions prior to 0.5.0b3.dev87, update to version 0.5.0b3.dev87 to fix the issue. As a temporary workaround, consider restricting access to the /flashgot API endpoint and the /scripts folder to minimize the risk of exploitation. Avoid using the /flashgot API to download files to folders in the /scripts path until the issue is resolved.