Gokapi Stored Cross-Site Scripting Vulnerability in File Upload
Vulnerability
A stored cross-site scripting vulnerability has been identified in Gokapi, a self-hosted file sharing server, in versions prior to 2.0.0. When end-to-end encryption is enabled, this vulnerability allows the execution of JavaScript by uploading a file with a maliciously crafted filename. The embedded script is executed after the file is uploaded, each time the upload list is accessed. In versions prior to 2.0.0, all authenticated users could view and modify all resources, including encrypted files, as the encryption key was shared among users. This vulnerability does not affect single-user Gokapi instances.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded files can execute JavaScript in the context of the user viewing the upload list. In the presence of other vulnerabilities, this could lead to more severe impacts, such as redirection or cryptocurrency mining.
Remediation
Users can upgrade to Gokapi version 2.0.0, which addresses this vulnerability. Instructions for upgrading are available in the Gokapi v2.0.0 release notes.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.