Published:2019/06/07 Last Updated:2019/06/07
JVN#84876282
Multiple vulnerabilities in GROWI
Overview
GROWI contains multiple vulnerabilities.
Products Affected
- GROWI v3.4.6 and earlier
Description
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
- Cross-site request forgery vulnerability in the process of updating user's "Basic Info" (CWE-352) - CVE-2019-5968
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3 - Open redirect vulnerability in the process of login (CWE-601) - CVE-2019-5969
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score: 4.7 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
Impact
- If a user views a malicious page while logged in, unintended operations may be performed. - CVE-2019-5968
- By logging in to the product via a specially crafted URL, the user may be redirected to an arbitrary website. - CVE-2019-5969
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| WESEEK, Inc. | Vulnerable | 2019/06/07 | WESEEK, Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Security Group of DeCurret Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2019-5968 |
|
CVE-2019-5969 |
|
| JVN iPedia |
JVNDB-2019-000033 |