0Xvpr

**Name of the Vulnerable Software and Affected Versions** ZimaOS versions prior to 1.4.2 **Description** ZimaOS, a fork of CasaOS, is susceptible to a file read issue. The `/v2 1/files/file/download` API endpoint allows unauthorized file access from any user with localhost access. File reads are executed with root privileges. **Recommendations** Update ZimaOS to version 1.4.2 or later. As a temporary workaround, restrict access to the `/v2 1/files/file/download` endpoint.

**Name of the Vulnerable Software and Affected Versions** ZimaOS versions prior to 1.4.1 **Description** ZimaOS, a fork of CasaOS, is susceptible to a file upload issue. The `/v2 1/files/file/uploadV2` API endpoint permits file uploads from any user with localhost access, and these uploads are executed with root privileges. **Recommendations** Update ZimaOS to version 1.4.1 or later.