Published: 2020/11/25  Last Updated: 2020/11/25

Information from WESEEK, Inc.

Vulnerability ID:JVN#56450373
Title:Multiple vulnerabilities in GROWI

This is a statement from the vendor itself with no modification by JPCERT/CC.

GROWI is developed by WESEEK, Inc.
GROWI releases prior to v4.1.3 contain some bugs.

[Affected Products]
This bug affects GROWI releases prior to v4.1.3

・GROWI v4.1.3 and earlier
・GROWI v4.0.0 and earlier
・GROWI v3.8.1 and earlier

By using a certain api, it returns email address even when user sets private.
Any script can be executed on the user's web browser.

Email address may be known to third parties even when user sets private.
A vulnerability in XSS could allow arbitrary scripts to be executed.

Please update GROWI to v4.1.5 or later.

[Where to get the updated version]
[Docker Hub](