JVN#86438134: Multiple cross-site scripting vulnerabilities in GROWI

Overview

GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities.

Products Affected

GROWI versions from v4.2.0 to v4.2.7 (v4.2 Series)

According to the developer, these vulnerabilities affect v4.2 series only.

Description

GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.

Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters (CWE-79) - CVE-2021-20672

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1

CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
Stored cross-site scripting vulnerability in Admin Page (CWE-79) - CVE-2021-20673

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Base Score: 4.8

CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5

Impact

An arbitrary script may be executed on a logged-in user's web browser.

Solution

Update the software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
WESEEK, Inc.	Vulnerable	2021/03/10	WESEEK, Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Naoya Miyaguchi of 3-shake Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2021-20672
	CVE-2021-20673
JVN iPedia	JVNDB-2021-000019

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	Base Score: 4.8
CVSS v2	AV:N/AC:M/Au:S/C:N/I:P/A:N	Base Score: 3.5

JVN#86438134 Multiple cross-site scripting vulnerabilities in GROWI