Information from GROWI, Inc.
Vulnerability ID:JVN#62079296
Title:GROWI vulnerable to stored cross-site scripting
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
## en
[Summary]
GROWI is developed by GROWI, Inc.
GROWI contains a security vulnerability related to file uploads.
[Affected Products]
This vulnerability affects GROWI versions up to and including v7.4.6.
[Description]
GROWI contains a **Stored Cross-Site Scripting (XSS)** vulnerability in its attachment upload functionality. The system fails to properly restrict the `Content-Type` of uploaded files, allowing malicious scripts embedded in HTML or SVG files to execute in the user's browser.
[Impact]
An attacker with upload privileges can execute arbitrary JavaScript in the context of the file delivery domain. This could potentially be used for phishing attacks or the distribution of malicious content to other users.
[Solution]
Please upgrade your GROWI to version 7.4.7 or later.
The fix introduces a management system for the Content-Disposition header based on a MIME type whitelist. Files with MIME types not explicitly allowed for "inline" viewing by the administrator will default to being served as "attachments," preventing them from being rendered or executed by the browser.
### Where to get the updated version
- [GitHub](https://github.com/growilabs/growi)
- [Docker Hub](https://hub.docker.com/r/growilabs/growi/)
