CVE-2024-47067

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-47067
AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:link_name takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml response, opening it up to HTML tags via XHTML and thus leading to a XSS vulnerability. This vulnerability is fixed in 3.29.0.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78 Patch
https://securitylab.github.com/advisories/GHSL-2023-220_Alist/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:alist_project:alist:*:*:*:*:*:*:*:*
History

15 Nov 2024, 16:28

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1
First Time Alist Project
Alist Project alist
References () https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78 - () https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78 - Patch
References () https://securitylab.github.com/advisories/GHSL-2023-220_Alist/ - () https://securitylab.github.com/advisories/GHSL-2023-220_Alist/ - Exploit, Third Party Advisory
CPE cpe:2.3:a:alist_project:alist:*:*:*:*:*:*:*:*

04 Oct 2024, 13:51

Type Values Removed Values Added
Summary
  • (es) AList es un programa de listas de archivos que admite varios almacenamientos. AList contiene una vulnerabilidad de cross-site scripting reflejado en helper.go. El punto de conexión /i/:link_name toma un valor proporcionado por el usuario y lo refleja en la respuesta. El punto de conexión devuelve una respuesta application/xml, lo que la abre a las etiquetas HTML a través de XHTML y, por lo tanto, genera una vulnerabilidad XSS. Esta vulnerabilidad se solucionó en la versión 3.29.0.

30 Sep 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-30 16:15

Updated : 2024-11-15 16:28

NVD link : CVE-2024-47067

Mitre link : CVE-2024-47067

CVE.ORG link : CVE-2024-47067

JSON object : View

Products Affected

alist_project

  • alist
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024