Cookie without Secure attribute in pyload/pyload


Reported on

Jan 3rd 2023


The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Proof of Concept

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 107
Vary: Accept-Encoding
Set-Cookie: pyload_session=28d0985f-aea1-490b-9954-866be697d8ad; Expires=Fri, 03 Feb 2023 05:47:17 GMT; HttpOnly; Path=/; SameSite=Lax
Connection: close
Date: Tue, 03 Jan 2023 05:47:17 GMT
Server: Cheroot/8.6.0


User's cookies can be sent to the server with an unencrypted request over the HTTP protocol. This is not secure.

We are processing your report and will contact the pyload team within 24 hours. a year ago
bAu submitted a
a year ago
We have contacted a member of the pyload team and are waiting to hear back a year ago
pyload/pyload maintainer validated this vulnerability a year ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev32 with commit 7b53b8 a year ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
pyload/pyload maintainer published this vulnerability a year ago
to join this conversation