Information from WESEEK, Inc.
Vulnerability ID:JVN#96493183
Title:GROWI vulnerable to cross-site scripting
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
[Summary]
GROWI is developed by WESEEK, Inc.
GROWI releases prior to v3.2.3 contain a bug that raise a risk which can be exploited to perform cross-site scripting attacks.
[Affected Products]
This bug affects GROWI releases prior to v3.2.3
[Description]
GROWI releases prior to v3.2.3 contain a bug which can be exploited to perform cross-site scripting attacks.
[Impact]
An attacker can execute potentially malicious script code on website visitor's browser.
[Solution]
Process either of following.
a. Upgrade to v3.2.4 or later.
Note: v3.2.5 fixes an another vulnerability that XSS may be caused when URL string is processed by 'New Page Modal.
b. Process following with admin account.
1. Access to Markdown settings(/admin/markdown)
2. Turn "Enable XSS Prevention" option OFF for a moment and save
3. Turn "Enable XSS Prevention" option ON, select "Recommended Setting" and save
