Published:2018/08/03 Last Updated:2018/08/03
JVN#18716340
Multiple cross-site scripting vulnerabilities in GROWI
Overview
GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities.
Products Affected
- GROWI v.3.1.11 and earlier
Description
GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.
- Stored cross-site scripting vulnerability in the UserGroup Management section of admin page (CWE-79) - CVE-2018-0652
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Base Score: 5.5 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0 - Stored cross-site scripting vulnerability in Wiki page view (CWE-79) - CVE-2018-0653
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Base Score: 6.4 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0 - Reflected cross-site scripting vulnerability in the modal for creating Wiki page (CWE-79) - CVE-2018-0654
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - Stored cross-site scripting in the app settings section of admin page (CWE-79) - CVE-2018-0655
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Base Score: 5.5 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0
Impact
- An arbitrary script may be executed on a logged-in user's web browser. - CVE-2018-0652, CVE-2018-0653
- An arbitrary script may be executed on the user's web browser. - CVE-2018-0654, CVE-2018-0655
Solution
Update the software
Update to the latest version according to the information provided by the developer.
Vendor Status
Vendor | Status | Last Update | Vendor Notes |
---|---|---|---|
WESEEK, Inc. | Vulnerable | 2018/08/03 | WESEEK, Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
The following researchers reported the vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2018-0652, CVE-2018-0653
Yoshinori Hayashi of Information Science College
CVE-2018-0654, CVE-2018-0655
Kanta Nishitani of Information Science College
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2018-0652 |
CVE-2018-0653 |
|
CVE-2018-0654 |
|
CVE-2018-0655 |
|
JVN iPedia |
JVNDB-2018-000085 |