Sijisu

**Name of the Vulnerable Software and Affected Versions** Gokapi versions prior to 2.2.4 **Description** Gokapi is a self-hosted file sharing server. An authorization flaw in the file replace API allows a user with list visibility permission (`UserPermListOtherUploads`) to delete another user's file by manipulating the `deleteNewFile` flag, circumventing the `UserPermDeleteOtherUploads` requirement. Any authenticated user possessing `PERM REPLACE` and `PERM LIST` permissions can delete files belonging to other users without needing `PERM DELETE` permission. **Recommendations** Update Gokapi to version 2.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** Gokapi versions prior to 2.2.4 **Description** Gokapi is a self-hosted file sharing server that supports automatic expiration and encryption. An API endpoint is susceptible to accepting request bodies of unlimited size. An authenticated user can exploit this to cause an Out-Of-Memory (OOM) kill, leading to a complete service disruption for all users. The issue impacts the server's stability and availability. The affected API endpoint accepts unbounded request bodies. The `request body` is the vulnerable parameter. **Recommendations** Update to version 2.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** Gokapi versions prior to 2.2.4 **Description** Gokapi is a self-hosted file sharing server. The chunked upload completion path for file requests does not validate the total file size against the per-request `MaxSize` limit. An attacker with a public file request link can split an oversized file into chunks, each under `MaxSize`, and upload them sequentially, bypassing the size restriction. Files up to the server's global `MaxFileSizeMB` are accepted regardless of the file request's configured limit. This allows unauthorized storage consumption, circumvention of administrative resource policies, and potential service disruption through storage exhaustion. **Recommendations** Update to version 2.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** Gokapi versions prior to 2.2.3 **Description** Gokapi is a self-hosted file sharing server that supports automatic expiration and encryption. The upload status Server-Sent Events (SSE) implementation on the `/uploadStatus` API endpoint publishes global upload state to any authenticated user and includes `file id` values that are not limited to the requesting user. This can lead to cross-tenant data exposure and loss of confidentiality for uploaded documents, as authenticated users can observe other users' file identifiers and retrieve unauthorized content. **Recommendations** Update to version 2.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Gokapi versions prior to 2.2.3 **Description** Gokapi, a self-hosted file sharing server, had a flaw in its login process. Before version 2.2.3, the login flow lacked CSRF protection, meaning credential-bearing requests weren’t properly linked to the user’s browser session. The system directly processed form values and established a session upon successful credential verification. This could allow an attacker to hijack a user's session if the attacker knows the credentials, potentially leading to user confusion and misuse of account access. **Recommendations** Update to version 2.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Gokapi versions prior to 2.2.3 **Description** A malicious authenticated user can achieve stored cross-site scripting (XSS) by uploading SVG files and creating a hotlink for them. The hotlinking functionality does not properly handle scripts included in the SVGs, allowing authenticated attackers with file upload and hotlink capabilities to execute arbitrary JavaScript. **Recommendations** Update to version 2.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Gokapi versions prior to 2.2.3 **Description** Gokapi is a self-hosted file sharing server that includes automatic expiration and encryption support. A flaw in the user rank demotion logic allows a demoted user’s existing API keys to retain `ApiPermManageFileRequests` and `ApiPermManageLogs` permissions. This enables continued access to upload-request management and log viewing endpoints even after the user has been stripped of all privileges. Specifically, any user who previously held Admin rank and had API keys with `ApiPermManageFileRequests` or `ApiPermManageLogs` retains those capabilities after demotion. This allows offboarded or demoted users to create, list, and delete upload requests, and to read application logs and system status. The affected API endpoints include those for managing upload requests and viewing logs. **Recommendations** Update to version 2.2.3 or later.