Published: 2021/03/08  Last Updated: 2021/03/08

Information from WESEEK, Inc.

Vulnerability ID:JVNVU#94889258
Title:Multiple vulnerabilities in GROWI
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

[Summary]
GROWI is developed by WESEEK, Inc.
GROWI releases prior to v4.2.3 contain a bug that causes risks that can be exploited to perform multiple cross-site scripting attacks.

[Affected Products]
These bugs affect GROWI releases prior to v4.2.3.

[Description]
GROWI releases prior to v4.2.3 contain bugs that can be exploited to perform cross-site scripting attacks.

[Impact]
1. An attacker can execute potentially malicious script code to attachments on the website visitor's browser.
2. Certain files can be read and deleted.
3. Some user information can be disclosed without authentication.
4. Certain files can be updated. As a result, malicious code can be executed by an attacker.

[Solution]
Please upgrade your GROWI to v4.2.3 or later.

[Where to get the updated version]
- [GitHub](https://github.com/weseek/growi)
- [Docker Hub](https://hub.docker.com/r/weseek/growi/)