Improper String/Integer Input Validation Leads to the Crashing of Site in pyload/pyload
Valid
Reported on
Jan 5th 2023
Description
If you give the string input in the Start/End time field, then the application will stop working.
Proof of Concept
- Go to "Settings->General-Reconnection"
- Change activated to "on"
- On every input fields place any string for example put: "test"
- Click on save and refresh
- The application will crash
Fix: rm ~/.pyload/settings/pyload.cfg or editing pyload.cfg.
Impact
We can crash the application. Changing it with CSRF could lead to leveraging more paths to launch this attack.
We are processing your report and will contact the
pyload
team within 24 hours.
9 months ago
We have contacted a member of the
pyload
team and are waiting to hear back
8 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation