Published:2018/08/03  Last Updated:2018/08/03

JVN#18716340
Multiple cross-site scripting vulnerabilities in GROWI

Overview

GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities.

Products Affected

  • GROWI v.3.1.11 and earlier

Description

GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below. 

  • Stored cross-site scripting vulnerability in the UserGroup Management section of admin page (CWE-79) - CVE-2018-0652
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Base Score: 5.5
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0
  • Stored cross-site scripting vulnerability in Wiki page view (CWE-79) - CVE-2018-0653
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Base Score: 6.4
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0
  • Reflected cross-site scripting vulnerability in the modal for creating Wiki page (CWE-79) - CVE-2018-0654
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • Stored cross-site scripting in the app settings section of admin page (CWE-79) - CVE-2018-0655
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Base Score: 5.5
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0

Impact

  • An arbitrary script may be executed on a logged-in user's web browser. - CVE-2018-0652, CVE-2018-0653
  • An arbitrary script may be executed on the user's web browser. - CVE-2018-0654, CVE-2018-0655

Solution

Update the software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
WESEEK, Inc. Vulnerable 2018/08/03 WESEEK, Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

The following researchers reported the vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2018-0652, CVE-2018-0653
Yoshinori Hayashi of Information Science College

CVE-2018-0654, CVE-2018-0655
Kanta Nishitani of Information Science College

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2018-0652
CVE-2018-0653
CVE-2018-0654
CVE-2018-0655
JVN iPedia JVNDB-2018-000085