JVN#96493183
GROWI vulnerable to cross-site scripting
Overview
GROWI contains a cross-site scripting vulnerability.
Products Affected
- GROWI v3.2.3 and earlier
Description
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).
The settings option for enabling and disabling the measures against cross-site scripting ("Enable XSS prevention" option) was introduced in v3.1.12. However, there was an issue with the implementation where the option looks enabled although the measures are disabled. This vulnerability was addressed in v3.2.4 according to the developer.
Impact
An arbitrary script may be executed on the user's web browser.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Another cross-site scripting vulnerability due to a flaw in the processing of "New Page modal" (CVE-2018-16205) was also addressed in v3.2.5.
Apply a Workaround
If you are using GROWI v3.1.12 and later, and for a certain reason you cannot update or have difficulty with updating the product, log in as an administrator and follow the steps below to properly reflect the settings of "Enable XSS prevention" option.
1. Access Markdown settings (/admin/markdown)
2. Turn "Enable XSS Prevention" option OFF and save
3. Turn "Enable XSS Prevention" option ON, select "Recommended Setting" and save
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| WESEEK, Inc. | Vulnerable | 2018/12/26 | WESEEK, Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Takashi Yoneuchi of The University of Tokyo College of Arts and Sciences reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2018-0698 |
|
CVE-2018-16205 |
|
| JVN iPedia |
JVNDB-2018-000137 |