JVN#56450373
Multiple vulnerabilities in GROWI

Overview

GROWI contains multiple vulnerabilities.

Products Affected

CVE-2020-5676

• GROWI v4.1.3 and earlier

• GROWI v4.0.0 and earlier

• GROWI v3.8.1 and earlier

Description

GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.

• Information disclosure (CWE-200) - CVE-2020-5676

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	Base Score: 5.3
  CVSS v2	AV:N/AC:L/Au:N/C:P/I:N/A:N	Base Score: 5.0

• Reflected cross-site scripting vulnerability due to a flaw in processing input URLs (CWE-79) - CVE-2020-5677

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

• Stored cross-site scripting vulnerability due to a flaw in processing POST requests (CWE-79) - CVE-2020-5678

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	Base Score: 5.4
  CVSS v2	AV:N/AC:M/Au:S/C:N/I:P/A:N	Base Score: 3.5

Impact

• A remote attacker may obtain information which is not allowed to access. - CVE-2020-5676
• An arbitrary script may be executed on the user's web browser. - CVE-2020-5677, CVE-2020-5678

Solution

Update the software
Update the software to version v4.1.5 or later according to the information provided by the developer.