### [CVE-2024-21645](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21645)
![](https://img.shields.io/static/v1?label=Product&message=pyload&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%200.5.0b3.dev77%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-74%3A%20Improper%20Neutralization%20of%20Special%20Elements%20in%20Output%20Used%20by%20a%20Downstream%20Component%20('Injection')&color=brighgreen)

### Description

pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.

### POC

#### Reference
- https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds