CVE Vulnerabilities for Alist
| CVE | Published | Severity | Details | Exploitability | Impact | Vector |
|---|---|---|---|---|---|---|
| CVE‑2024‑47067 | 2024‑09‑30 16:15:09 | MEDIUM (6) | AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:link_name takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml response, opening it up to HTML tags via XHTML and thus leading to a XSS vulnerability. This vulnerability is fixed in 3.29.0. | 3 | 3 | NETWORK |
| CVE‑2023‑33498 | 2023‑06‑07 14:15:10 | HIGH (9) | alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file. | 3 | 6 | NETWORK |
| CVE‑2023‑31726 | 2023‑05‑23 22:15:10 | HIGH (8) | AList 3.15.1 is vulnerable to Incorrect Access Control, which can be exploited by attackers to obtain sensitive information. | 4 | 4 | NETWORK |
| CVE‑2022‑45970 | 2022‑12‑12 14:15:11 | MEDIUM (5) | Alist v3.5.1 is vulnerable to Cross Site Scripting (XSS) via the bulletin board. | 2 | 3 | NETWORK |
| CVE‑2022‑45969 | 2022‑12‑15 23:15:10 | CRITICAL (10) | Alist v3.4.0 is vulnerable to Directory Traversal, | 4 | 6 | NETWORK |
| CVE‑2022‑45968 | 2022‑12‑12 14:15:11 | HIGH (9) | Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one). | 3 | 6 | NETWORK |
| CVE‑2022‑26533 | 2022‑03‑12 01:15:36 | MEDIUM (6) | Alist v2.1.0 and below was discovered to contain a cross-site scripting (XSS) vulnerability via /i/:data/ipa.plist. | 3 | 3 | NETWORK |
View OS-specific patching for:
Windows Mac Linux
Logos, products, trade names, and company names are all the property of their respective trademark holders.
The above listing includes products that Lavawall® monitors through public information and/or proprietary statistical analysis.
Although we do have a partner relationship with some of the listed products and companies, they do not necessarily endorse Lavawall® or have integrations with our systems.