Alist reflected Cross-Site Scripting vulnerability
Moderate severity
GitHub Reviewed
Published
Oct 10, 2024
to the GitHub Advisory Database
•
Updated Oct 10, 2024
Package
Affected versions
< 3.29.0
Patched versions
3.29.0
Description
Published by the National Vulnerability Database
Sep 30, 2024
Published to the GitHub Advisory Database
Oct 10, 2024
Reviewed
Oct 10, 2024
Last updated
Oct 10, 2024
AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:link_name takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml response, opening it up to HTML tags via XHTML and thus leading to a XSS vulnerability. This vulnerability is fixed in 3.29.0.
References