Information from GROWI, Inc.
Vulnerability ID:JVN#95942191
Title:GROWI vulnerable to stored cross-site scripting
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
[Summary]
It has been discovered that our GROWI system has a cross-site scripting vulnerability.
[Affected Products]
This bug affects GROWI All versions prior to v7.2.10
[Description]
A cross-site scripting (XSS) vulnerability exists in GROWI where an attacker-specified JavaScript can be executed on a user's browser if the user accesses a malicious page.
[Impact]
- Information on pages that only the victim user can view or user information may be leaked. If an administrator account is compromised, information viewable from the admin screen could also be leaked.
- The execution of JavaScript could lead to the alteration of page content.
[Solution]
Please update to v7.3.0 or a later version.
[Where to get the updated version]
- [GitHub](https://github.com/growilabs/growi)
- [Docker Hub](https://hub.docker.com/r/growilabs/growi)
