pyload-ng@0.5.0b1.dev4 vulnerabilities

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type due to the ability to change the download folder and upload a crafted template. An attacker can execute arbitrary code on the server by uploading a malicious template file to a specified folder and then navigating to a URL that renders the uploaded template.

Upgrade pyload-ng to version 0.5.0b3.dev85 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Open Redirect via the is_safe_url function. An attacker can redirect users to malicious websites, which may be used for phishing and similar attacks by manipulating the URL input in the next variable to bypass URL validation.

Upgrade pyload-ng to version 0.5.0b3.dev79 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the API accepting GET requests without proper validation. An attacker can perform unauthorized actions on behalf of a legitimate user due to the session cookie not being set to SameSite: strict.

Upgrade pyload-ng to version 0.5.0b3.dev78 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs. An attacker can inject arbitrary messages into the logs via the username, which could be used to obscure their activities or falsely implicate another individual in malicious actions.

Upgrade pyload-ng to version 0.5.0b3.dev77 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Externally-Accessible File or Directory due to improper handling of a specific URL which exposes the Flask config, including the SECRET_KEY variable. An attacker can gain access to sensitive information by navigating to the exposed URL without authentication.

Upgrade pyload-ng to version 0.5.0b3.dev77 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Directory Traversal when the add_package and edit_package functions are used. An attacker can store files anywhere on the server and gain command execution by abusing scripts. This is only exploitable if a user creates a new package and then edits it to pick any arbitrary directory in the filesystem.

Upgrade pyload-ng to version 0.5.0b3.dev75 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in templates/js/packages.js, exploitable via the /collector endpoint.

Upgrade pyload-ng to version 0.5.0b3.dev42 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Improper Input Validation in the form of insufficient SSL certificate verification in http_request.py. This allows attackers to intercept or inject HTTPS traffic between a host and a client.

Upgrade pyload-ng to version 0.5.0b3.dev44 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Improper Input Validation via the cast function, which allows inserting strings as input to the Start and End time fields. Exploiting this vulnerability will cause the application to stop working.

Upgrade pyload-ng to version 0.5.0b3.dev40 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Arbitrary Code Injection via the jk parameter, which passes user input, potentially including arbitrary OS commands, to pyimport.

Upgrade pyload-ng to version 0.5.0b3.dev31 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Insufficient Session Expiration in webui/app/helpers.py, which allows an admin user whose account has been deleted to remain in an active session.

Upgrade pyload-ng to version 0.5.0b3.dev38 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames which leads to clickjacking attacks due to the lack of frame restrictions.

Upgrade pyload-ng to version 0.5.0b3.dev33 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute due to missing the secure attribute for sensitive cookies in HTTPS sessions. Exploiting this vulnerability allows sending those cookies in plaintext over an HTTP session.

Upgrade pyload-ng to version 0.5.0b3.dev32 or higher.

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Prototype Pollution via the parseQueryString() function in String.QueryString.js, in MooTools-More.min.js.

Upgrade pyload-ng to version 0.5.0b3.dev41 or higher.