A7Um

**Name of the Vulnerable Software and Affected Versions** Alist versions prior to 3.57.0 **Description** Alist, a file list program powered by Gin and Solidjs, has a configuration issue where TLS certificate verification is disabled by default for all outgoing storage driver communications. This allows for potential Man-in-the-Middle (MitM) attacks, enabling decryption, theft, and manipulation of data transmitted during storage operations. This compromises the confidentiality and integrity of user data. **Recommendations** Update to version 3.57.0 or later.

**Name of the Vulnerable Software and Affected Versions** Alist versions prior to 3.57.0 **Description** Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. The application contains a path traversal issue in multiple file operation handlers. An authenticated attacker can bypass directory-level authorization by injecting traversal sequences into filename components. This allows unauthorized file removal, movement, and copying across user boundaries within the same storage mount. The vulnerability affects file operations and potentially compromises data integrity and confidentiality. **Recommendations** Update to version 3.57.0 or later.

**Name of the Vulnerable Software and Affected Versions** OpenList Frontend versions prior to 4.1.10 **Description** The OpenList Frontend application contains a path traversal flaw in multiple file operation handlers within the `server/handles/fsmanage.go` file. The application directly concatenates filename components from the `req.Names` variable with validated directories using `stdpath.Join`, allowing attackers to bypass path restrictions using ".." sequences. This enables authenticated attackers to access files belonging to other users within the same storage mount and perform unauthorized actions, including deletion, renaming, and copying. The vulnerable functions include `FsRemove` and `FsCopy`. An attacker can exploit this by injecting traversal sequences into filename components. The vulnerability allows privilege escalation within shared storage environments. **Recommendations** Versions prior to 4.1.10: Upgrade to version 4.1.10 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** OpenList versions prior to 4.1.10 **Description** The OpenList application disables TLS certificate verification by default for all outgoing storage driver communications, creating a risk of Man-in-the-Middle (MitM) attacks. This allows attackers to intercept and manipulate all storage communications, potentially leading to the decryption, theft, and manipulation of data. Attackers can leverage network-level attacks, such as ARP spoofing or compromised network equipment, to redirect traffic to malicious endpoints. The `TlsInsecureSkipVerify` setting is set to true by default in the `DefaultConfig()` function. This enables attackers to establish encrypted connections with attacker-controlled servers, allowing full decryption and manipulation of storage operations without security warnings. A proof-of-concept demonstrated successful interception of authentication cookies by redirecting traffic to a malicious HTTPS server. **Recommendations** Versions prior to 4.1.10: Upgrade to version 4.1.10 or later to enable certificate verification and mitigate the risk of MitM attacks.

Name of the Vulnerable Software and Affected Versions: gnark versions prior to 0.14.0 Description: gnark is a zero-knowledge proof system framework. The `Verify` function in `eddsa.go` and `ecdsa.go` used the `S` value from a signature without asserting that 0 ≤ `S` < order, leading to a signature malleability issue. This is due to a lack of essential constraints in gnark’s native EdDSA and ECDSA circuits, allowing multiple distinct witnesses to satisfy the same public inputs. In protocols where nullifiers or anti-replay checks are derived from `R` and `S`, this enables signature malleability and may allow double spending. Recommendations: Update to version 0.14.0 to resolve this issue.