1  info:
 2    name: pyload-ng
 3    cve: CVE-2024-32880
 4    summary: pyLoad allows upload to arbitrary folder leading to RCE
 5    details: |
 6      An authenticated user can change the download folder and upload a crafted template to the specified folder, leading to remote code execution. The vulnerability affects all versions, with earlier versions having different trigger conditions.
 7      
 8      Example version: 0.5
 9      File: src/pyload/webui/app/blueprints/app_blueprint.py
10      
11      ```python
12      @bp.route("/render/<path:filename>", endpoint="render")
13      def render(filename):
14          mimetype = mimetypes.guess_type(filename)[0] or "text/html"
15          data = render_template(filename)
16          return flask.Response(data, mimetype=mimetype)
17      ```
18      
19      Impact:
20      It is a RCE vulnerability and affects all versions. In earlier version 0.4.20, the trigger difference is the pyload installation folder path difference and the upload file must have the extension ".js".
21    cvss: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
22    severity: CRITICAL
23    security_advise: |
24      1. Upgrade to pyload-ng >= 0.5.1
25      2. Implement strict file upload validation to prevent uploading of malicious templates
26      3. Restrict access to the /settings page to authorized personnel only
27  rule: version < "0.5.1"
28  references:
29    - https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f
30    - https://nvd.nist.gov/vuln/detail/CVE-2024-32880
31    - https://github.com/pyload/pyload