How serious is CVE-2023-33498?

This vulnerability has a CVSS score of 8.8 out of 10, classified as HIGH severity. No public exploit code has been identified yet.

Which products are affected by CVE-2023-33498?

CVE-2023-33498 affects alistgo alist. Check the full CVE details for specific version information.

How do I fix CVE-2023-33498?

To remediate CVE-2023-33498, check for security patches from alistgo. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2023-33498

High

|8.8

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows low-privilege users to upload any type of file to the system, which could lead to malicious files being executed or sensitive data being exposed. It affects versions of the alist software up to 3.16.3, meaning that if you're using an older version, you should update it immediately to prevent exploitation.

Technical Description

alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$4,789($1K-$5K)

Vendor Response

Grade FPatched in 982 days

Quick Information

Published

Jun 7, 2023

over 2 years ago

Last Modified

Feb 13, 2026

7 days ago

Vendor

alistgo

Product

alist

Related Vulnerabilities

CVE-2023-31726High

This vulnerability allows attackers to access sensitive information that they shouldn't be able to see in AList version 3.15.1. It can be exploited if the attacker knows how to bypass the system's access controls, making it crucial for users to update to a patched version to protect their data.

CVE-2022-45969Critical

This vulnerability allows an attacker to access files and directories on the server that should be restricted, potentially exposing sensitive information. It requires the attacker to send specially crafted requests to the Alist application, making it critical for anyone using version 3.4.0 to secure their system immediately.

CVE-2022-45970Medium

This vulnerability allows an attacker to inject malicious scripts into the bulletin board feature of Alist, which could then run in the browsers of users visiting that page. To exploit this, the attacker needs to post a specially crafted message that tricks users into executing the harmful code.

CVE-2022-45968High

This vulnerability allows an attacker with file upload permissions to upload any type of file, including potentially harmful ones, to any folder in the system, even those that are password protected. This means that if a user has the ability to upload files, they can exploit this flaw to compromise the security of the entire application.

CVE-2022-26533Medium

This vulnerability allows an attacker to inject malicious scripts into the Alist application, which could then run in the browsers of users who visit the affected page. To exploit this, the attacker needs to trick users into accessing a specially crafted URL that includes the harmful code.