Alist v2.1.0 and below was discovered to contain a cross-site scripting (XSS) vulnerability via /i/:data/ipa.plist.
6.1CVSS
6AI Score
0.001EPSS
Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one).
8.8CVSS
8.6AI Score
0.001EPSS
9.8CVSS
9.3AI Score
0.002EPSS
5.4CVSS
5.2AI Score
0.001EPSS
AList 3.15.1 is vulnerable to Incorrect Access Control, which can be exploited by attackers to obtain sensitive information.
7.5CVSS
7.4AI Score
0.001EPSS
alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file.
8.8CVSS
8.7AI Score
0.001EPSS