Shydlock

**Name of the Vulnerable Software and Affected Versions** Alist versions prior to 3.6.0 **Description** The issue allows a user with only file upload permission to bypass the base path restriction by using `'../'` to upload files to an arbitrary path, which is a form of Directory Traversal or Path Traversal. This can potentially lead to unauthorized access to sensitive files or directories. **Recommendations** For versions prior to 3.6.0, update to version 3.6.0 or later to resolve the issue. As a temporary workaround, consider restricting file upload permissions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Alist version 3.4.0 **Description** The issue allows a user with only file upload permission to upload any file to any folder, including those that are password protected. **Recommendations** For Alist version 3.4.0, update to version 3.5.1 to resolve the issue. As a temporary workaround, consider restricting file upload permissions to minimize the risk of exploitation.