Information from GROWI, Inc.
Vulnerability ID:JVN#55745775
Title:GROWI vulnerable to cross-site request forgery
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
[Summary]
It has been discovered that the GROWI system provided by our company contains a cross-site request forgery (csrf) vulnerability.
[Affected Products]
This bug affects GROWI v7.3.3 and earlier versions.
[Description]
If a user accesses a maliciously crafted page while logged in, they may be forced to perform unintended operations.
[Impact]
・An attacker can exploit the victim’s privileges to tamper with application settings or content.
・An attacker can trick a victim into visiting a malicious page, causing arbitrary files to be uploaded and attached to crafted pages without authorization.
[Solution]
Please upgrade your GROWI to v7.3.4 or later.
[Where to get the updated version]
- [GitHub](https://github.com/growilabs/growi)
- [Docker Hub](https://hub.docker.com/r/growilabs/growi)
