Описание
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads. This vulnerability is fixed in 2.2.4.
Ссылки
- ProductRelease Notes
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.2.4 (исключая)
cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*
EPSS
Процентиль: 1%
0.00009
Низкий
4.1 Medium
CVSS3
Дефекты
CWE-863
Связанные уязвимости
CVSS3: 4.1
github
28 дней назад
Gokapi vulnerable to Privilege Escalation in File Replace
EPSS
Процентиль: 1%
0.00009
Низкий
4.1 Medium
CVSS3
Дефекты
CWE-863