Alist vulnerable to Path Traversal
Critical severity
GitHub Reviewed
Published
Dec 16, 2022
to the GitHub Advisory Database
•
Updated Jan 29, 2023
Package
Affected versions
< 3.6.0
Patched versions
3.6.0
Description
Published by the National Vulnerability Database
Dec 15, 2022
Published to the GitHub Advisory Database
Dec 16, 2022
Reviewed
Dec 16, 2022
Last updated
Jan 29, 2023
In versions of Alist prior to 3.6.0, a user with only file upload permission can bypass the base path restriction by using '... /' to bypass the base path restriction and upload files to an arbitrary path.
References