Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/alist-org/alist/v3: GHSA-8pph-gfhp-w226 #3190

Closed
GoVulnBot opened this issue Oct 10, 2024 · 1 comment
Assignees

Comments

@GoVulnBot
Copy link

Advisory GHSA-8pph-gfhp-w226 references a vulnerability in the following Go modules:

Module
github.com/alist-org/alist
github.com/alist-org/alist/v3

Description:
AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:link_name takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml response, opening it up to HTML tags via XHTML and thus leading to a XSS vulnerability. This vulnerability is fixed in 3.29.0.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/alist-org/alist
      vulnerable_at: 1.0.6
    - module: github.com/alist-org/alist/v3
      versions:
        - fixed: 3.29.0
      vulnerable_at: 3.28.0
summary: Alist reflected Cross-Site Scripting vulnerability in github.com/alist-org/alist
cves:
    - CVE-2024-47067
ghsas:
    - GHSA-8pph-gfhp-w226
references:
    - advisory: https://github.com/advisories/GHSA-8pph-gfhp-w226
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47067
    - fix: https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78
    - web: https://securitylab.github.com/advisories/GHSL-2023-220_Alist
source:
    id: GHSA-8pph-gfhp-w226
    created: 2024-10-10T21:01:21.416088971Z
review_status: UNREVIEWED

@maceonthompson maceonthompson self-assigned this Oct 11, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/619696 mentions this issue: data/reports: add 6 reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants