pyload-ng 0.5.0b1.dev2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the pyload-ng package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Cross-site Scripting (XSS) pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via unsanitized parameters in the `cnl_blueprint.py`. An attacker can execute arbitrary JavaScript code in the context of a user's browser session by submitting crafted requests containing malicious payloads. This can lead to impersonation of users, theft of authentication tokens, and unauthorized actions performed on behalf of the victim. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)
H Allocation of Resources Without Limits or Throttling pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `jk` parameter in the CNL Blueprint process. An attacker can cause the server CPU to become fully occupied and render the web interface unresponsive by supplying crafted input to the `dukpy.evaljs` function. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `pyload-ng` to version 0.5.0b3.dev92 or higher.	[,0.5.0b3.dev92)
H SQL Injection pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to SQL Injection via the `add_links` parameter in the `/json/add_package` API endpoint. An attacker can modify or delete data in the database by injecting malicious SQL statements. How to fix SQL Injection? Upgrade `pyload-ng` to version 0.5.0b3.dev91 or higher.	[,0.5.0b3.dev91)
C Arbitrary Code Injection pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Arbitrary Code Injection in the CAPTCHA processing code, via the `onCaptchaResult` function. An attacker could execute arbitrary code in the client browser and potentially the backend server by exploiting this vulnerability. How to fix Arbitrary Code Injection? Upgrade `pyload-ng` to version 0.5.0b3.dev89 or higher.	[,0.5.0b3.dev89)
C Directory Traversal pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Directory Traversal via the `addcrypted` endpoint when processing the `package` parameter. An attacker can achieve arbitrary file write and execute malicious code with root privileges by submitting crafted POST requests that exploit path traversal to overwrite critical system files such as cron jobs or systemd services. How to fix Directory Traversal? Upgrade `pyload-ng` to version 0.5.0b3.dev90 or higher.	[,0.5.0b3.dev90)
M Arbitrary Code Injection pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Arbitrary Code Injection via improper handling of the `add_name` parameter in the `/json/add_package` API endpoint. An attacker can inject arbitrary log entries by submitting input containing newline characters, which are not properly escaped, allowing manipulation of the application's log files. How to fix Arbitrary Code Injection? Upgrade `pyload-ng` to version 0.5.0b3.dev90 or higher.	[,0.5.0b3.dev90)
H Directory Traversal pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Directory Traversal via the `json/upload` endpoint when the filename parameter is manipulated. An attacker can write arbitrary files to any location accessible to the application process by uploading files with crafted filenames. How to fix Directory Traversal? Upgrade `pyload-ng` to version 0.5.0b3.dev90 or higher.	[,0.5.0b3.dev90)
C Improper Preservation of Permissions pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Improper Preservation of Permissions via the `host` header. An attacker can gain unauthorized access and create arbitrary packages by sending crafted requests from a remote location. How to fix Improper Preservation of Permissions? Upgrade `pyload-ng` to version 0.5.0b3.dev90 or higher.	[,0.5.0b3.dev90)
M Open Redirect pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Open Redirect via the `is_safe_url` function. An attacker can redirect users to malicious websites, which may be used for phishing and similar attacks by manipulating the URL input in the `next` variable to bypass URL validation. This has also been assigned CVE-2024-24808 How to fix Open Redirect? Upgrade `pyload-ng` to version 0.5.0b3.dev79 or higher.	[,0.5.0b3.dev79)
C Command Injection pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Command Injection via the `flashgot` API and the download process. An attacker can execute arbitrary code by manipulating the download path to target the scripts directory and spoofing HTTP headers to bypass security checks. This is only exploitable if the server settings allow changing the download folder to a scripts directory and the permissions for downloaded files are improperly set. How to fix Command Injection? Upgrade `pyload-ng` to version 0.5.0b3.dev87 or higher.	[,0.5.0b3.dev87)
C Improper Control of Generation of Code ('Code Injection') pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') through the `/flash/addcrypted2` API endpoint that uses `js2py`, which is vulnerable to Code Injection. An attacker can execute arbitrary shell commands by sending a specially crafted request that bypasses the localhost-only restriction using a modified HTTP header. Note: Any `payload-ng` running under python3.11 or below is vulnerable. pyload-ng doesn't use js2py for python3.12 or above. How to fix Improper Control of Generation of Code ('Code Injection')? Upgrade `pyload-ng` to version 0.5.0b3.dev87 or higher.	[,0.5.0b3.dev87)
C Unrestricted Upload of File with Dangerous Type pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type due to the ability to change the download folder and upload a crafted template. An attacker can execute arbitrary code on the server by uploading a malicious template file to a specified folder and then navigating to a URL that renders the uploaded template. How to fix Unrestricted Upload of File with Dangerous Type? Upgrade `pyload-ng` to version 0.5.0b3.dev85 or higher.	[,0.5.0b3.dev85)
M Open Redirect pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Open Redirect via the `is_safe_url` function. An attacker can redirect users to malicious websites, which may be used for phishing and similar attacks by manipulating the URL input in the `next` variable to bypass URL validation. This has also been assigned CVE-2024-1240 How to fix Open Redirect? Upgrade `pyload-ng` to version 0.5.0b3.dev79 or higher.	[,0.5.0b3.dev79)
C Cross-site Request Forgery (CSRF) pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the API accepting GET requests without proper validation. An attacker can perform unauthorized actions on behalf of a legitimate user due to the session cookie not being set to `SameSite: strict`. How to fix Cross-site Request Forgery (CSRF)? Upgrade `pyload-ng` to version 0.5.0b3.dev78 or higher.	[,0.5.0b3.dev78)
M Improper Output Neutralization for Logs pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Improper Output Neutralization for Logs. An attacker can inject arbitrary messages into the logs via the username, which could be used to obscure their activities or falsely implicate another individual in malicious actions. How to fix Improper Output Neutralization for Logs? Upgrade `pyload-ng` to version 0.5.0b3.dev77 or higher.	[,0.5.0b3.dev77)
H Insertion of Sensitive Information into Externally-Accessible File or Directory pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Insertion of Sensitive Information into Externally-Accessible File or Directory due to improper handling of a specific URL which exposes the Flask config, including the `SECRET_KEY` variable. An attacker can gain access to sensitive information by navigating to the exposed URL without authentication. How to fix Insertion of Sensitive Information into Externally-Accessible File or Directory? Upgrade `pyload-ng` to version 0.5.0b3.dev77 or higher.	[,0.5.0b3.dev77)
H Directory Traversal pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Directory Traversal when the `add_package` and `edit_package` functions are used. An attacker can store files anywhere on the server and gain command execution by abusing scripts. This is only exploitable if a user creates a new package and then edits it to pick any arbitrary directory in the filesystem. How to fix Directory Traversal? Upgrade `pyload-ng` to version 0.5.0b3.dev75 or higher.	[,0.5.0b3.dev75)
M Cross-site Scripting (XSS) pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in `templates/js/packages.js`, exploitable via the `/collector` endpoint. How to fix Cross-site Scripting (XSS)? Upgrade `pyload-ng` to version 0.5.0b3.dev42 or higher.	[,0.5.0b3.dev42)
H Improper Input Validation pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Improper Input Validation in the form of insufficient SSL certificate verification in `http_request.py`. This allows attackers to intercept or inject HTTPS traffic between a host and a client. How to fix Improper Input Validation? Upgrade `pyload-ng` to version 0.5.0b3.dev44 or higher.	[,0.5.0b3.dev44)
M Improper Input Validation pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Improper Input Validation via the `cast` function, which allows inserting strings as input to the `Start` and `End` time fields. Exploiting this vulnerability will cause the application to stop working. How to fix Improper Input Validation? Upgrade `pyload-ng` to version 0.5.0b3.dev40 or higher.	[0,0.5.0b3.dev40)
C Arbitrary Code Injection pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Arbitrary Code Injection via the `jk` parameter, which passes user input, potentially including arbitrary OS commands, to `pyimport`. How to fix Arbitrary Code Injection? Upgrade `pyload-ng` to version 0.5.0b3.dev31 or higher.	[,0.5.0b3.dev31)
H Insufficient Session Expiration pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Insufficient Session Expiration in `webui/app/helpers.py`, which allows an admin user whose account has been deleted to remain in an active session. How to fix Insufficient Session Expiration? Upgrade `pyload-ng` to version 0.5.0b3.dev38 or higher.	[0,0.5.0b3.dev38)
L Improper Restriction of Rendered UI Layers or Frames pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames which leads to clickjacking attacks due to the lack of frame restrictions. How to fix Improper Restriction of Rendered UI Layers or Frames? Upgrade `pyload-ng` to version 0.5.0b3.dev33 or higher.	[,0.5.0b3.dev33)
L Sensitive Cookie in HTTPS Session Without "Secure" Attribute pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute due to missing the `secure` attribute for sensitive cookies in HTTPS sessions. Exploiting this vulnerability allows sending those cookies in plaintext over an HTTP session. How to fix Sensitive Cookie in HTTPS Session Without "Secure" Attribute? Upgrade `pyload-ng` to version 0.5.0b3.dev32 or higher.	[,0.5.0b3.dev32)
M Prototype Pollution pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Prototype Pollution via the `parseQueryString()` function in `String.QueryString.js`, in MooTools-More.min.js. How to fix Prototype Pollution? Upgrade `pyload-ng` to version 0.5.0b3.dev41 or higher.	[,0.5.0b3.dev41)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via unsanitized parameters in the cnl_blueprint.py. An attacker can execute arbitrary JavaScript code in the context of a user's browser session by submitting crafted requests containing malicious payloads. This can lead to impersonation of users, theft of authentication tokens, and unauthorized actions performed on behalf of the victim.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)

Allocation of Resources Without Limits or Throttling

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the jk parameter in the CNL Blueprint process. An attacker can cause the server CPU to become fully occupied and render the web interface unresponsive by supplying crafted input to the dukpy.evaljs function.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade pyload-ng to version 0.5.0b3.dev92 or higher.

[,0.5.0b3.dev92)

SQL Injection

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to SQL Injection via the add_links parameter in the /json/add_package API endpoint. An attacker can modify or delete data in the database by injecting malicious SQL statements.

How to fix SQL Injection?

Upgrade pyload-ng to version 0.5.0b3.dev91 or higher.

[,0.5.0b3.dev91)

Arbitrary Code Injection

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Arbitrary Code Injection in the CAPTCHA processing code, via the onCaptchaResult function. An attacker could execute arbitrary code in the client browser and potentially the backend server by exploiting this vulnerability.

How to fix Arbitrary Code Injection?

Upgrade pyload-ng to version 0.5.0b3.dev89 or higher.

[,0.5.0b3.dev89)

Directory Traversal

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Directory Traversal via the addcrypted endpoint when processing the package parameter. An attacker can achieve arbitrary file write and execute malicious code with root privileges by submitting crafted POST requests that exploit path traversal to overwrite critical system files such as cron jobs or systemd services.

How to fix Directory Traversal?

Upgrade pyload-ng to version 0.5.0b3.dev90 or higher.

[,0.5.0b3.dev90)

Arbitrary Code Injection

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Arbitrary Code Injection via improper handling of the add_name parameter in the /json/add_package API endpoint. An attacker can inject arbitrary log entries by submitting input containing newline characters, which are not properly escaped, allowing manipulation of the application's log files.

How to fix Arbitrary Code Injection?

Upgrade pyload-ng to version 0.5.0b3.dev90 or higher.

[,0.5.0b3.dev90)

Directory Traversal

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Directory Traversal via the json/upload endpoint when the filename parameter is manipulated. An attacker can write arbitrary files to any location accessible to the application process by uploading files with crafted filenames.

How to fix Directory Traversal?

Upgrade pyload-ng to version 0.5.0b3.dev90 or higher.

[,0.5.0b3.dev90)

Improper Preservation of Permissions

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Improper Preservation of Permissions via the host header. An attacker can gain unauthorized access and create arbitrary packages by sending crafted requests from a remote location.

How to fix Improper Preservation of Permissions?

Upgrade pyload-ng to version 0.5.0b3.dev90 or higher.

[,0.5.0b3.dev90)

Open Redirect

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Open Redirect via the is_safe_url function. An attacker can redirect users to malicious websites, which may be used for phishing and similar attacks by manipulating the URL input in the next variable to bypass URL validation. This has also been assigned CVE-2024-24808

How to fix Open Redirect?

Upgrade pyload-ng to version 0.5.0b3.dev79 or higher.

[,0.5.0b3.dev79)

Command Injection

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Command Injection via the flashgot API and the download process. An attacker can execute arbitrary code by manipulating the download path to target the scripts directory and spoofing HTTP headers to bypass security checks. This is only exploitable if the server settings allow changing the download folder to a scripts directory and the permissions for downloaded files are improperly set.

How to fix Command Injection?

Upgrade pyload-ng to version 0.5.0b3.dev87 or higher.

[,0.5.0b3.dev87)

Improper Control of Generation of Code ('Code Injection')

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') through the /flash/addcrypted2 API endpoint that uses js2py, which is vulnerable to Code Injection. An attacker can execute arbitrary shell commands by sending a specially crafted request that bypasses the localhost-only restriction using a modified HTTP header.

Note:

Any payload-ng running under python3.11 or below is vulnerable.

pyload-ng doesn't use js2py for python3.12 or above.

How to fix Improper Control of Generation of Code ('Code Injection')?

Upgrade pyload-ng to version 0.5.0b3.dev87 or higher.

[,0.5.0b3.dev87)

Unrestricted Upload of File with Dangerous Type

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type due to the ability to change the download folder and upload a crafted template. An attacker can execute arbitrary code on the server by uploading a malicious template file to a specified folder and then navigating to a URL that renders the uploaded template.

How to fix Unrestricted Upload of File with Dangerous Type?

Upgrade pyload-ng to version 0.5.0b3.dev85 or higher.

[,0.5.0b3.dev85)

Open Redirect

pyload-ng is a The free and open-source Download Manager written in pure Python

How to fix Open Redirect?

Upgrade pyload-ng to version 0.5.0b3.dev79 or higher.

[,0.5.0b3.dev79)

Cross-site Request Forgery (CSRF)

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the API accepting GET requests without proper validation. An attacker can perform unauthorized actions on behalf of a legitimate user due to the session cookie not being set to SameSite: strict.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade pyload-ng to version 0.5.0b3.dev78 or higher.

[,0.5.0b3.dev78)

Improper Output Neutralization for Logs

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs. An attacker can inject arbitrary messages into the logs via the username, which could be used to obscure their activities or falsely implicate another individual in malicious actions.

How to fix Improper Output Neutralization for Logs?

Upgrade pyload-ng to version 0.5.0b3.dev77 or higher.

[,0.5.0b3.dev77)

Insertion of Sensitive Information into Externally-Accessible File or Directory

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Externally-Accessible File or Directory due to improper handling of a specific URL which exposes the Flask config, including the SECRET_KEY variable. An attacker can gain access to sensitive information by navigating to the exposed URL without authentication.

How to fix Insertion of Sensitive Information into Externally-Accessible File or Directory?

Upgrade pyload-ng to version 0.5.0b3.dev77 or higher.

[,0.5.0b3.dev77)

Directory Traversal

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Directory Traversal when the add_package and edit_package functions are used. An attacker can store files anywhere on the server and gain command execution by abusing scripts. This is only exploitable if a user creates a new package and then edits it to pick any arbitrary directory in the filesystem.

How to fix Directory Traversal?

Upgrade pyload-ng to version 0.5.0b3.dev75 or higher.

[,0.5.0b3.dev75)

Cross-site Scripting (XSS)

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in templates/js/packages.js, exploitable via the /collector endpoint.

How to fix Cross-site Scripting (XSS)?

Upgrade pyload-ng to version 0.5.0b3.dev42 or higher.

[,0.5.0b3.dev42)

Improper Input Validation

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Improper Input Validation in the form of insufficient SSL certificate verification in http_request.py. This allows attackers to intercept or inject HTTPS traffic between a host and a client.

How to fix Improper Input Validation?

Upgrade pyload-ng to version 0.5.0b3.dev44 or higher.

[,0.5.0b3.dev44)

Improper Input Validation

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Improper Input Validation via the cast function, which allows inserting strings as input to the Start and End time fields. Exploiting this vulnerability will cause the application to stop working.

How to fix Improper Input Validation?

Upgrade pyload-ng to version 0.5.0b3.dev40 or higher.

[0,0.5.0b3.dev40)

Arbitrary Code Injection

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Arbitrary Code Injection via the jk parameter, which passes user input, potentially including arbitrary OS commands, to pyimport.

How to fix Arbitrary Code Injection?

Upgrade pyload-ng to version 0.5.0b3.dev31 or higher.

[,0.5.0b3.dev31)

Insufficient Session Expiration

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Insufficient Session Expiration in webui/app/helpers.py, which allows an admin user whose account has been deleted to remain in an active session.

How to fix Insufficient Session Expiration?

Upgrade pyload-ng to version 0.5.0b3.dev38 or higher.

[0,0.5.0b3.dev38)

Improper Restriction of Rendered UI Layers or Frames

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames which leads to clickjacking attacks due to the lack of frame restrictions.

How to fix Improper Restriction of Rendered UI Layers or Frames?

Upgrade pyload-ng to version 0.5.0b3.dev33 or higher.

[,0.5.0b3.dev33)

Sensitive Cookie in HTTPS Session Without "Secure" Attribute

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute due to missing the secure attribute for sensitive cookies in HTTPS sessions. Exploiting this vulnerability allows sending those cookies in plaintext over an HTTP session.

How to fix Sensitive Cookie in HTTPS Session Without "Secure" Attribute?

Upgrade pyload-ng to version 0.5.0b3.dev32 or higher.

[,0.5.0b3.dev32)

Prototype Pollution

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Prototype Pollution via the parseQueryString() function in String.QueryString.js, in MooTools-More.min.js.

How to fix Prototype Pollution?

Upgrade pyload-ng to version 0.5.0b3.dev41 or higher.

[,0.5.0b3.dev41)

pyload-ng@0.5.0b1.dev2 vulnerabilities

The free and open-source Download Manager written in pure Python

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically