CVE-2024-22416: 
Python vulnerability analysis and mitigation

CVE-2024-22416 affects pyLoad, a free and open-source Download Manager written in pure Python. The vulnerability was discovered in January 2024 and involves a Cross-Site Request Forgery (CSRF) vulnerability in the pyLoad API. The issue stems from the API allowing any API call to be made using GET requests, combined with the session cookie not being set to SameSite: strict. This vulnerability affects all versions prior to 0.5.0b3.dev78 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 9.6 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The core issue lies in the pyLoad API's configuration where any API call can be made using GET requests, and the session cookie's SameSite attribute is not set to 'strict'. This combination makes the application vulnerable to CSRF attacks. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows an unauthenticated attacker to perform any API call through CSRF attacks. A successful exploit could lead to unauthorized actions being executed with administrator privileges, including the creation of new admin users. This effectively enables complete system compromise through privilege escalation (Security Online, GitHub Advisory).

The vulnerability has been patched in version 0.5.0b3.dev78. The fix involves changing the session cookie's SameSite attribute to 'Strict'. All users are strongly advised to upgrade to this version or later (GitHub Advisory).