CVE-2024-22416 PoC — Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation

Source

https://github.com/mindstorm38/ensimag-secu3a-cve-2024-22416

Associated Vulnerability

Title:Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation (CVE-2024-22416)
Description:pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.

Description

CVE-2024-22416 exploit experiments

Readme

# CVE-2024-22416

Reference report: [GHSA-pgpj-v85q-h5fm](https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm)

This repository contains a docker compose configuration that setups both a pyLoad server
and an attacker server that just provides a `csrf.html`. To test yourself, just run
`docker composer up` (you need to have docker composer installed additionally to docker).

Then, start by going to `localhost:8000`, which is the pyLoad login page, and login with
user `pyload` and password `pyload`. Then, go to `localhost:8001/csrf.html`, this will
instantly submit a cross-site request to pyLoad API and add a user called "hacker".
You can check that it worked by going to Settings > Users and notice that "hacker" user
has been added!

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!