Miggo Logo
Miggo Vulnerability Database
CVE-2023-0297

CVE-2023-0297:
Code Injection in pyload-ng

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0297
GHSA ID
GHSA-pf38-5p22-x6h6
EPSS Score
0.99871%
CWE
CWE-94
Published
1/14/2023
Updated
6/16/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pyload-ngpip< 0.5.0b3.dev310.5.0b3.dev31

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key evidence comes from the patch commit which adds 'js2py.disable_pyimport()' in misc.py. This indicates the vulnerability stemmed from js2py's ability to execute Python code via JavaScript evaluation. The CVE description and external references confirm this was exploitable for RCE through crafted JS inputs. While the exact consumer function isn't shown, the core vulnerability exists in how js2py was initialized at the module level before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*o** Inj**tion in *it*u* r*pository pylo**/pylo** prior to *.*.***.**v**.

Reasoning

T** k*y *vi**n** *om*s *rom t** p*t** *ommit w*i** ***s `'js*py.*is**l*_pyimport()'` in `mis*.py`. T*is in*i**t*s t** vuln*r**ility st*mm** *rom `js*py`'s **ility to *x**ut* Pyt*on *o** vi* J*v*S*ript *v*lu*tion. T** *V* **s*ription *n* *xt*rn*l r***