CVE-2024-47067

Name of the Vulnerable Software and Affected Versions AList versions prior to 3.29.0

Description AList, a file list program supporting multiple storages, contains a reflected cross-site scripting issue in the helper.go file. The endpoint "/i/:link name" takes a user-provided value and reflects it back in the response, which returns an application/xml response. This allows for the inclusion of HTML tags via XHTML, leading to a cross-site scripting vulnerability.

Recommendations For versions prior to 3.29.0, update to version 3.29.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/i/:link name" endpoint until the update is applied.