← Back

CVE-2024-47821

nvd nist
Published: Oct 25, 2024Modified: Mar 5, 2025

JSON object

Loading...
2.3
Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Exploitability: 0.8 / Impact: 1.4
Source: NVD

Description

pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. Version 0.5.0b3.dev87 fixes this issue.

Affected (1)

Products: Pyload: Pyload
Pyload
1 product
Pyload
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Pyload
Version 0.5.0

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (1)

Source: security-advisories@github.com
ExploitVendor Advisory

Timeline

No history available yet.