Information from WESEEK, Inc.
Vulnerability ID:JVNVU#94889258
Title:Multiple vulnerabilities in GROWI
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
[Summary]
GROWI is developed by WESEEK, Inc.
GROWI releases prior to v4.2.19 contain bugs that cause risks that can be exploited to perform multiple cross-site scripting attacks.
[Affected Products]
1 ~ 4: These bugs affect GROWI releases prior to v4.2.3.
5: The bug affects GROWI releases prior to v4.2.20.
[Description]
GROWI releases prior to v4.2.20 contain bugs that can be exploited to perform cross-site scripting attacks.
[Impact]
1. An attacker can execute potentially malicious script code to attachments on the website visitor's browser.
2. Certain files can be read and deleted.
3. Some user information can be disclosed without authentication.
4. Certain files can be updated. As a result, malicious code can be executed by an attacker.
5. Arbitrary scripts can be executed in the browser of the user who viewed the specially crafted page.
[Solution]
Please upgrade your GROWI to v4.2.20 or later.
[Where to get the updated version]
- [GitHub](https://github.com/weseek/growi)
- [Docker Hub](https://hub.docker.com/r/weseek/growi/)