pyload-ng@0.5.0b3.dev85 vulnerabilities

The free and open-source Download Manager written in pure Python

latest version

0.5.0b3.dev87
latest non vulnerable version

0.5.0b3.dev87
first published

5 years ago
latest version published

21 days ago
licenses detected
- AGPL-3.0
  [0,)
View pyload-ng package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the pyload-ng package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Command Injection pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Command Injection via the `flashgot` API and the download process. An attacker can execute arbitrary code by manipulating the download path to target the scripts directory and spoofing HTTP headers to bypass security checks. This is only exploitable if the server settings allow changing the download folder to a scripts directory and the permissions for downloaded files are improperly set. How to fix Command Injection? Upgrade `pyload-ng` to version 0.5.0b3.dev87 or higher.	[,0.5.0b3.dev87)
C Improper Control of Generation of Code ('Code Injection') pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') through the `/flash/addcrypted2` API endpoint that uses `js2py`, which is vulnerable to Code Injection. An attacker can execute arbitrary shell commands by sending a specially crafted request that bypasses the localhost-only restriction using a modified HTTP header. Note: Any `payload-ng` running under python3.11 or below is vulnerable. pyload-ng doesn't use js2py for python3.12 or above. How to fix Improper Control of Generation of Code ('Code Injection')? Upgrade `pyload-ng` to version 0.5.0b3.dev87 or higher.	[,0.5.0b3.dev87)

Command Injection

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Command Injection via the flashgot API and the download process. An attacker can execute arbitrary code by manipulating the download path to target the scripts directory and spoofing HTTP headers to bypass security checks. This is only exploitable if the server settings allow changing the download folder to a scripts directory and the permissions for downloaded files are improperly set.

How to fix Command Injection?

Upgrade pyload-ng to version 0.5.0b3.dev87 or higher.

[,0.5.0b3.dev87)

Improper Control of Generation of Code ('Code Injection')

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') through the /flash/addcrypted2 API endpoint that uses js2py, which is vulnerable to Code Injection. An attacker can execute arbitrary shell commands by sending a specially crafted request that bypasses the localhost-only restriction using a modified HTTP header.

Note:

Any payload-ng running under python3.11 or below is vulnerable.

pyload-ng doesn't use js2py for python3.12 or above.

How to fix Improper Control of Generation of Code ('Code Injection')?

Upgrade pyload-ng to version 0.5.0b3.dev87 or higher.

[,0.5.0b3.dev87)

Go back to all versions of this package

pyload-ng@0.5.0b3.dev85 vulnerabilities

The free and open-source Download Manager written in pure Python

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities