Information from GROWI, Inc.
Vulnerability ID:JVN#46526244
Title:GROWI vulnerable to cross-site scripting
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
[Summary]
It has been discovered that our GROWI system has a cross-site scripting vulnerability.
[Affected Products]
This bug affects all versions of GROWI prior to v4.2.8.
[Description]
- A reflected cross-site scripting (XSS) vulnerability exists in the page alert function of "GROWI."
- This vulnerability is caused by improperly handling user input from URL query parameters, allowing an attacker to execute arbitrary JavaScript code.
[Impact]
- **Session Hijacking:** An attacker may steal user session cookies and gain unauthorized access to an account.
- **Website Defacement:** An attacker may inject scripts to alter the page's display or show false information.
- **Redirection to Malicious Sites:** Users may be automatically redirected to phishing sites or fraudulent websites to steal personal information (e.g., passwords, credit card details).
- **Malware Distribution:** An attacker may force a user's browser to download malware.
- **Sensitive Information Theft:** Scripts may be used to scrape and steal sensitive data, such as private documents or user lists, and send it to the attacker's server.
[Solution]
- Please update to v4.2.8 or a later version.
### Where to get the updated version
- [GitHub](https://github.com/weseek/growi)
- [Docker Hub](https://hub.docker.com/r/weseek/growi/)
