Improper Restriction of Rendered UI Layers or Frames in pyload/pyload


Reported on

Jan 1st 2023


It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY.

Proof of Concept


According to PortSwigger references, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery and may result in unauthorized actions.

We are processing your report and will contact the pyload team within 24 hours. 8 days ago
bAu modified the report
8 days ago
We have contacted a member of the pyload team and are waiting to hear back 7 days ago
pyload/pyload maintainer validated this vulnerability 5 days ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev33 with commit bd2a31 5 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
pyload/pyload maintainer published this vulnerability 5 days ago
to join this conversation