Information from WESEEK, Inc.
Vulnerability ID:JVN#84876282
Title:Multiple vulnerabilities in GROWI
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
[Summary]
GROWI is developed by WESEEK, Inc.
GROWI releases prior to v3.4.6 contain an open redirect vulnerability and a cross-site request forgery vulnerability.
[Affected Products]
This bug affects GROWI releases prior to v3.4.6
[Description]
GROWI releases prior to v3.4.6 contain an open redirect vulnerability and a cross-site request forgery vulnerability.
[Impact by open redirect vulnerability]
When accessing a specially crafted page, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.
[Impact by cross-site request forgery vulnerability]
An attacker can modify information of other users.
[Solution]
Upgrade to v3.4.7 or later.
