Published: 2021/01/19  Last Updated: 2021/01/19

Information from WESEEK, Inc.

Vulnerability ID:JVN#57544707
Title:GROWI vulnerable to cross-site scripting
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

[Summary]
GROWI is developed by WESEEK, Inc.
GROWI releases prior to v4.2.3 contain a bug that causes risks that can be exploited to perform cross-site scripting attacks.

[Affected Products]
This bug affects GROWI from v4.2.0 to v4.2.2

[Description]
GROWI releases prior to v4.2.3 contain bugs that can be exploited to perform cross-site scripting attacks.

[Impact]
An attacker can execute potentially malicious script code on the website visitor's browser.

[Solution]
Please upgrade your GROWI to v4.1.3 or later.

### Where to get the updated version
- [GitHub](https://github.com/weseek/growi)
- [Docker Hub](https://hub.docker.com/r/weseek/growi/)