How serious is CVE-2022-45970?

This vulnerability has a CVSS score of 5.4 out of 10, classified as MEDIUM severity. No public exploit code has been identified yet.

Which products are affected by CVE-2022-45970?

CVE-2022-45970 affects alistgo alist. Check the full CVE details for specific version information.

How do I fix CVE-2022-45970?

To remediate CVE-2022-45970, check for security patches from alistgo. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2022-45970

Medium

|5.4

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker to inject malicious scripts into the bulletin board feature of Alist, which could then run in the browsers of users visiting that page. To exploit this, the attacker needs to post a specially crafted message that tricks users into executing the harmful code.

Technical Description

Alist v3.5.1 is vulnerable to Cross Site Scripting (XSS) via the bulletin board.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionRequired

Confidentiality ImpactLow

Integrity ImpactLow

Availability ImpactNone

ScopeChanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$741($500-$1K)

Vendor Response

Grade FPatched in 1159 days

Quick Information

Published

Dec 12, 2022

about 3 years ago

Last Modified

Feb 13, 2026

7 days ago

Vendor

alistgo

Product

alist

Related Vulnerabilities

CVE-2023-33498High

This vulnerability allows low-privilege users to upload any type of file to the system, which could lead to malicious files being executed or sensitive data being exposed. It affects versions of the alist software up to 3.16.3, meaning that if you're using an older version, you should update it immediately to prevent exploitation.

CVE-2023-31726High

This vulnerability allows attackers to access sensitive information that they shouldn't be able to see in AList version 3.15.1. It can be exploited if the attacker knows how to bypass the system's access controls, making it crucial for users to update to a patched version to protect their data.

CVE-2022-45969Critical

This vulnerability allows an attacker to access files and directories on the server that should be restricted, potentially exposing sensitive information. It requires the attacker to send specially crafted requests to the Alist application, making it critical for anyone using version 3.4.0 to secure their system immediately.

CVE-2022-45968High

This vulnerability allows an attacker with file upload permissions to upload any type of file, including potentially harmful ones, to any folder in the system, even those that are password protected. This means that if a user has the ability to upload files, they can exploit this flaw to compromise the security of the entire application.

CVE-2022-26533Medium

This vulnerability allows an attacker to inject malicious scripts into the Alist application, which could then run in the browsers of users who visit the affected page. To exploit this, the attacker needs to trick users into accessing a specially crafted URL that includes the harmful code.