CVE-2024-47067

AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:link_name takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml response, opening it up to HTML tags via XHTML and thus leading to a XSS vulnerability. This vulnerability is fixed in 3.29.0.
Configurations

Configuration 1 (hide)

cpe:2.3:a:alist_project:alist:*:*:*:*:*:*:*:*

History

15 Nov 2024, 16:28

Type Values Removed Values Added
First Time Alist Project
Alist Project alist
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
CPE cpe:2.3:a:alist_project:alist:*:*:*:*:*:*:*:*
References () https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78 - () https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78 - Patch
References () https://securitylab.github.com/advisories/GHSL-2023-220_Alist/ - () https://securitylab.github.com/advisories/GHSL-2023-220_Alist/ - Exploit, Third Party Advisory

04 Oct 2024, 13:51

Type Values Removed Values Added
Summary
  • (es) AList es un programa de listas de archivos que admite varios almacenamientos. AList contiene una vulnerabilidad de cross-site scripting reflejado en helper.go. El punto de conexión /i/:link_name toma un valor proporcionado por el usuario y lo refleja en la respuesta. El punto de conexión devuelve una respuesta application/xml, lo que la abre a las etiquetas HTML a través de XHTML y, por lo tanto, genera una vulnerabilidad XSS. Esta vulnerabilidad se solucionó en la versión 3.29.0.

30 Sep 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-30 16:15

Updated : 2024-11-15 16:28


NVD link : CVE-2024-47067

Mitre link : CVE-2024-47067

CVE.ORG link : CVE-2024-47067


JSON object : View

Products Affected

alist_project

  • alist
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')