Gokapi Cross-Site Scripting Vulnerability in API Key Management

A cross-site scripting (XSS) vulnerability has been identified in Gokapi, a self-hosted file sharing server, prior to version 2.0.0. This issue allows authenticated users to inject JavaScript into the API key overview by renaming the friendly name of an API key. The injected script would be executed when another user accesses their API tab. In versions prior to 2.0.0, Gokapi lacked a user permission system, enabling all authenticated users to view and modify all resources, including end-to-end encrypted files, as the encryption key was shared among all users. However, if a user is the only authenticated user on Gokapi, they are not affected by this vulnerability.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the API key.

Remediation

Users can upgrade to Gokapi version 2.0.0 or later, where this vulnerability has been fixed. If multiple users are using Gokapi, avoid opening the API page if there is a possibility that another user has injected code.