Information from WESEEK, Inc.
Vulnerability ID:JVN#56450373
Title:Multiple vulnerabilities in GROWI
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
[Summary]
GROWI is developed by WESEEK, Inc.
GROWI releases prior to v4.1.3 contain some bugs.
[Affected Products]
This bug affects GROWI releases prior to v4.1.3
CVE-2020-5676
・GROWI v4.1.3 and earlier
CVE-2020-5677
・GROWI v4.0.0 and earlier
CVE-2020-5678
・GROWI v3.8.1 and earlier
[Description]
By using a certain api, it returns email address even when user sets private.
Any script can be executed on the user's web browser.
[Impact]
Email address may be known to third parties even when user sets private.
A vulnerability in XSS could allow arbitrary scripts to be executed.
[Solution]
Please update GROWI to v4.1.5 or later.
[Where to get the updated version]
[GitHub](https://github.com/weseek/growi)
[Docker Hub](https://hub.docker.com/r/weseek/growi/)
