x/vulndb: potential Go vuln in github.com/alist-org/alist/v3: GHSA-8pph-gfhp-w226

[GoVulnBot]

Advisory GHSA-8pph-gfhp-w226 references a vulnerability in the following Go modules:

Module
github.com/alist-org/alist
github.com/alist-org/alist/v3

Description:
AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:link_name takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml response, opening it up to HTML tags via XHTML and thus leading to a XSS vulnerability. This vulnerability is fixed in 3.29.0.

References:

• ADVISORY: GHSA-8pph-gfhp-w226
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-47067
• FIX: AlistGo/alist@6100647
• WEB: https://securitylab.github.com/advisories/GHSL-2023-220_Alist

Cross references:

• github.com/alist-org/alist appears in 2 other report(s):
  • data/reports/GO-2022-1161.yaml (x/vulndb: potential Go vuln in github.com/alist-org/alist/v3: GHSA-4gjr-vgfx-9qvw #1161)
  • data/reports/GO-2022-1171.yaml (x/vulndb: potential Go vuln in github.com/alist-org/alist/v3: GHSA-pmg2-rph8-p8r6 #1171)
• github.com/alist-org/alist/v3 appears in 4 other report(s):
  • data/excluded/GO-2022-1162.yaml (x/vulndb: potential Go vuln in github.com/alist-org/alist/v3: GHSA-957m-g6rf-4c2m #1162) NOT_A_VULNERABILITY
  • data/excluded/GO-2023-1845.yaml (x/vulndb: potential Go vuln in github.com/alist-org/alist/v3: GHSA-hh54-53m7-7ffj #1845) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-1161.yaml (x/vulndb: potential Go vuln in github.com/alist-org/alist/v3: GHSA-4gjr-vgfx-9qvw #1161)
  • data/reports/GO-2022-1171.yaml (x/vulndb: potential Go vuln in github.com/alist-org/alist/v3: GHSA-pmg2-rph8-p8r6 #1171)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/alist-org/alist
      vulnerable_at: 1.0.6
    - module: github.com/alist-org/alist/v3
      versions:
        - fixed: 3.29.0
      vulnerable_at: 3.28.0
summary: Alist reflected Cross-Site Scripting vulnerability in github.com/alist-org/alist
cves:
    - CVE-2024-47067
ghsas:
    - GHSA-8pph-gfhp-w226
references:
    - advisory: https://github.com/advisories/GHSA-8pph-gfhp-w226
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47067
    - fix: https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78
    - web: https://securitylab.github.com/advisories/GHSL-2023-220_Alist
source:
    id: GHSA-8pph-gfhp-w226
    created: 2024-10-10T21:01:21.416088971Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/619696 mentions this issue: data/reports: add 6 reports