Information from WESEEK, Inc.

[Summary]
GROWI is developed by WESEEK, Inc.
GROWI releases prior to v6.1.11 contain vulnerabilities that causes risks that can be exploited to perform cross-site scripting or cross-site request forgery attacks.

[Affected Products]
The affected products are as follows
Product name: GROWI
[1]XSS in the presentation feature
- Affected version: Versions prior to v3.4.0
[2]XSS that takes advantage of the fact that JSON is generated on the server side and the data in JSON is not html escaped
- Affected version: Versions prior to v3.5.0
[3]XSS in uploaded files (profile images)
- Affected version: Versions prior to v4.1.3
Vulnerability in [4]~[10] below
- Affected version: Versions prior to v6.0.0
[4]CSRF in the user settings (/me) page
[5]XSS using XSS Filter behavior
[6]Stored XSS by img tags
[7]Stored XSS by event handlers of pre tags
[8]Stored XSS by anchor tag
[9]Stored XSS by MathJax
[10]Stored XSS in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page
Vulnerability in [11]~[12] below
- Affected version: Versions prior to v6.0.6
[11]Display of Secret access key in plain text on the App Settings (/admin/app) page
[12]Unexpected account deletion or suspension on the User Management (/admin/users) page
[13]XSS by The whitelist of registration permission E-mail address on Security Settings (/admin/security) page
- Affected version: Versions prior to v6.1.11

[Description]
- A cross-site scripting vulnerability exists in GROWI.
- A CSRF (Cross Site Request Forgery) vulnerability exists in GROWI.
- There is a possibility of obtaining a secret access key.
- There is a possibility of unforeseen account deletion or suspension at GROWI.

[Impact]
- Malicious scripts may be inserted/executed to display fake pages or cause unintended retrieval/storage of cookies.
- By accepting malicious requests via external sites, users may be allowed to abuse services that are available only to users after login, or falsify information/register new information that can be edited only by users after login.
- A malicious user who illegally logs in to the administration (/admin) page through XSS or other means may obtain a secret access key, which may lead to the acquisition of information or unauthorized use of external resources.
- A malicious user who illegally logs in to the administration (/admin) page by XSS or other means may delete or suspend the hijacked account.

[Solution]
[1] XSS in the presentation feature
- Please update GROWI to v3.4.0 or later.
[2] XSS using the fact that JSON is generated on the server side and the data in JSON is not html escaped
- Please update GROWI to v3.5.0 or later.
[3] XSS in uploaded files (profile images)
- Please update GROWI to v4.1.3 or later version.
Vulnerability in [4]~[10] below:.
- Please update GROWI to v6.0.0 or later version.
[4] CSRF in the user settings (/me) page
[5] XSS using XSS Filter behavior
[6] Stored XSS by img tags
[7] Stored XSS by event handlers of pre tags
[8] Stored XSS by anchor tag
[9] Stored XSS by MathJax
[10]Stored XSS in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page
Vulnerability in [11]~[12] below
- Please update GROWI to v6.0.6 or later version.
[11]Display of Secret access key in plain text on the App Settings (/admin/app) page
[12]Unexpected account deletion or suspension on the User Management (/admin/users) page
[13]XSS by The whitelist of registration permission E-mail address on Security Settings (/admin/security) page
- Please update GROWI to v6.1.11 or later version.

[Where to get the updated version]
- GitHub(https://github.com/weseek/growi/)
- Docker Hub(https://hub.docker.com/r/weseek/growi/)