search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
565 stars 62 forks source link

x/vulndb: potential Go vuln in github.com/alist-org/alist/v3: GHSA-8pph-gfhp-w226 #3190

Closed GoVulnBot closed 1 month ago

GoVulnBot commented 1 month ago

Advisory GHSA-8pph-gfhp-w226 references a vulnerability in the following Go modules:

Module
github.com/alist-org/alist
github.com/alist-org/alist/v3

Description: AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:link_name takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml response, opening it up to HTML tags via XHTML and thus leading to a XSS vulnerability. This vulnerability is fixed in 3.29.0.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/alist-org/alist
      vulnerable_at: 1.0.6
    - module: github.com/alist-org/alist/v3
      versions:
        - fixed: 3.29.0
      vulnerable_at: 3.28.0
summary: Alist reflected Cross-Site Scripting vulnerability in github.com/alist-org/alist
cves:
    - CVE-2024-47067
ghsas:
    - GHSA-8pph-gfhp-w226
references:
    - advisory: https://github.com/advisories/GHSA-8pph-gfhp-w226
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47067
    - fix: https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78
    - web: https://securitylab.github.com/advisories/GHSL-2023-220_Alist
source:
    id: GHSA-8pph-gfhp-w226
    created: 2024-10-10T21:01:21.416088971Z
review_status: UNREVIEWED
gopherbot commented 1 month ago

Change https://go.dev/cl/619696 mentions this issue: data/reports: add 6 reports