Search criteria
81 vulnerabilities found for GROWI by WESEEK, Inc.
CVE-2023-42436 (GCVE-0-2023-42436)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:22 – Updated: 2024-08-02 19:16
VLAI?
Summary
Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v3.4.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:16:51.003Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v3.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:22:50.373Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-42436",
"datePublished": "2023-12-26T07:22:50.373Z",
"dateReserved": "2023-12-07T02:39:45.772Z",
"dateUpdated": "2024-08-02T19:16:51.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50332 (GCVE-0-2023-50332)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:21 – Updated: 2024-08-02 22:16
VLAI?
Summary
Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. If this vulnerability is exploited, a user may delete or suspend its own account without the user's intention.
Severity ?
No CVSS data available.
CWE
- Improper authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. If this vulnerability is exploited, a user may delete or suspend its own account without the user\u0027s intention.\r\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:24.393Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50332",
"datePublished": "2023-12-26T07:21:24.393Z",
"dateReserved": "2023-12-07T02:39:51.268Z",
"dateUpdated": "2024-08-02T22:16:46.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50294 (GCVE-0-2023-50294)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:21 – Updated: 2024-08-02 22:16
VLAI?
Summary
The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page.
Severity ?
No CVSS data available.
CWE
- Cleartext storage of sensitive information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.259Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cleartext storage of sensitive information",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:19.831Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50294",
"datePublished": "2023-12-26T07:21:19.831Z",
"dateReserved": "2023-12-07T02:39:43.973Z",
"dateUpdated": "2024-08-02T22:16:46.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50175 (GCVE-0-2023-50175)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:21 – Updated: 2025-04-23 15:59
VLAI?
Summary
Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
5.4 (Medium)
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-50175",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-02T17:53:10.816140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T15:59:54.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:15.728Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50175",
"datePublished": "2023-12-26T07:21:15.728Z",
"dateReserved": "2023-12-07T02:39:52.053Z",
"dateUpdated": "2025-04-23T15:59:54.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49807 (GCVE-0-2023-49807)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:21 – Updated: 2024-08-02 22:01
VLAI?
Summary
Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.024Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:11.658Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49807",
"datePublished": "2023-12-26T07:21:11.658Z",
"dateReserved": "2023-12-07T02:39:44.808Z",
"dateUpdated": "2024-08-02T22:01:26.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49779 (GCVE-0-2023-49779)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:21 – Updated: 2024-08-02 22:01
VLAI?
Summary
Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.681Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:06.972Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49779",
"datePublished": "2023-12-26T07:21:06.972Z",
"dateReserved": "2023-12-07T02:39:53.189Z",
"dateUpdated": "2024-08-02T22:01:25.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49598 (GCVE-0-2023-49598)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:21 – Updated: 2024-08-02 22:01
VLAI?
Summary
Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.946Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:02.611Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49598",
"datePublished": "2023-12-26T07:21:02.611Z",
"dateReserved": "2023-12-07T02:39:42.967Z",
"dateUpdated": "2024-08-02T22:01:25.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49119 (GCVE-0-2023-49119)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:20 – Updated: 2024-11-27 15:22
VLAI?
Summary
Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:29.293Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-10T20:31:53.312588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T15:22:12.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:58.393Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49119",
"datePublished": "2023-12-26T07:20:58.393Z",
"dateReserved": "2023-12-07T02:39:46.701Z",
"dateUpdated": "2024-11-27T15:22:12.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47215 (GCVE-0-2023-47215)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:20 – Updated: 2024-08-02 21:01
VLAI?
Summary
Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:53.804Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-47215",
"datePublished": "2023-12-26T07:20:53.804Z",
"dateReserved": "2023-12-07T02:39:47.663Z",
"dateUpdated": "2024-08-02T21:01:22.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46699 (GCVE-0-2023-46699)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:20 – Updated: 2024-09-12 12:36
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0. If a user views a malicious page while logging in, settings may be changed without the user's intention.
Severity ?
No CVSS data available.
CWE
- Cross-site request forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-04T18:22:27.439104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T12:36:17.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0. If a user views a malicious page while logging in, settings may be changed without the user\u0027s intention."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:48.092Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-46699",
"datePublished": "2023-12-26T07:20:48.092Z",
"dateReserved": "2023-12-07T02:39:49.423Z",
"dateUpdated": "2024-09-12T12:36:17.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45740 (GCVE-0-2023-45740)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:20 – Updated: 2025-04-23 16:03
VLAI?
Summary
Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
5.4 (Medium)
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v4.1.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-45740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-02T17:52:27.722596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:03:49.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:42.853Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-45740",
"datePublished": "2023-12-26T07:20:42.853Z",
"dateReserved": "2023-12-07T02:39:50.226Z",
"dateUpdated": "2025-04-23T16:03:49.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45737 (GCVE-0-2023-45737)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:20 – Updated: 2024-08-02 20:29
VLAI?
Summary
Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v3.5.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v3.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:36.390Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-45737",
"datePublished": "2023-12-26T07:20:36.390Z",
"dateReserved": "2023-12-07T02:39:48.512Z",
"dateUpdated": "2024-08-02T20:29:32.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50339 (GCVE-0-2023-50339)
Vulnerability from cvelistv5 – Published: 2023-12-26 07:20 – Updated: 2024-09-09 18:00
VLAI?
Summary
Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
v6.1.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-27T18:02:51.280364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T18:00:25.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v6.1.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:31.556Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50339",
"datePublished": "2023-12-26T07:20:31.556Z",
"dateReserved": "2023-12-07T02:39:54.055Z",
"dateUpdated": "2024-09-09T18:00:25.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42436 (GCVE-0-2023-42436)
Vulnerability from nvd – Published: 2023-12-26 07:22 – Updated: 2024-08-02 19:16
VLAI?
Summary
Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v3.4.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:16:51.003Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v3.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:22:50.373Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-42436",
"datePublished": "2023-12-26T07:22:50.373Z",
"dateReserved": "2023-12-07T02:39:45.772Z",
"dateUpdated": "2024-08-02T19:16:51.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50332 (GCVE-0-2023-50332)
Vulnerability from nvd – Published: 2023-12-26 07:21 – Updated: 2024-08-02 22:16
VLAI?
Summary
Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. If this vulnerability is exploited, a user may delete or suspend its own account without the user's intention.
Severity ?
No CVSS data available.
CWE
- Improper authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. If this vulnerability is exploited, a user may delete or suspend its own account without the user\u0027s intention.\r\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:24.393Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50332",
"datePublished": "2023-12-26T07:21:24.393Z",
"dateReserved": "2023-12-07T02:39:51.268Z",
"dateUpdated": "2024-08-02T22:16:46.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50294 (GCVE-0-2023-50294)
Vulnerability from nvd – Published: 2023-12-26 07:21 – Updated: 2024-08-02 22:16
VLAI?
Summary
The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page.
Severity ?
No CVSS data available.
CWE
- Cleartext storage of sensitive information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.259Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cleartext storage of sensitive information",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:19.831Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50294",
"datePublished": "2023-12-26T07:21:19.831Z",
"dateReserved": "2023-12-07T02:39:43.973Z",
"dateUpdated": "2024-08-02T22:16:46.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50175 (GCVE-0-2023-50175)
Vulnerability from nvd – Published: 2023-12-26 07:21 – Updated: 2025-04-23 15:59
VLAI?
Summary
Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
5.4 (Medium)
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-50175",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-02T17:53:10.816140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T15:59:54.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:15.728Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50175",
"datePublished": "2023-12-26T07:21:15.728Z",
"dateReserved": "2023-12-07T02:39:52.053Z",
"dateUpdated": "2025-04-23T15:59:54.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49807 (GCVE-0-2023-49807)
Vulnerability from nvd – Published: 2023-12-26 07:21 – Updated: 2024-08-02 22:01
VLAI?
Summary
Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.024Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:11.658Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49807",
"datePublished": "2023-12-26T07:21:11.658Z",
"dateReserved": "2023-12-07T02:39:44.808Z",
"dateUpdated": "2024-08-02T22:01:26.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49779 (GCVE-0-2023-49779)
Vulnerability from nvd – Published: 2023-12-26 07:21 – Updated: 2024-08-02 22:01
VLAI?
Summary
Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.681Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:06.972Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49779",
"datePublished": "2023-12-26T07:21:06.972Z",
"dateReserved": "2023-12-07T02:39:53.189Z",
"dateUpdated": "2024-08-02T22:01:25.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49598 (GCVE-0-2023-49598)
Vulnerability from nvd – Published: 2023-12-26 07:21 – Updated: 2024-08-02 22:01
VLAI?
Summary
Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.946Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:02.611Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49598",
"datePublished": "2023-12-26T07:21:02.611Z",
"dateReserved": "2023-12-07T02:39:42.967Z",
"dateUpdated": "2024-08-02T22:01:25.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49119 (GCVE-0-2023-49119)
Vulnerability from nvd – Published: 2023-12-26 07:20 – Updated: 2024-11-27 15:22
VLAI?
Summary
Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:29.293Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-10T20:31:53.312588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T15:22:12.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:58.393Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49119",
"datePublished": "2023-12-26T07:20:58.393Z",
"dateReserved": "2023-12-07T02:39:46.701Z",
"dateUpdated": "2024-11-27T15:22:12.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47215 (GCVE-0-2023-47215)
Vulnerability from nvd – Published: 2023-12-26 07:20 – Updated: 2024-08-02 21:01
VLAI?
Summary
Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:53.804Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-47215",
"datePublished": "2023-12-26T07:20:53.804Z",
"dateReserved": "2023-12-07T02:39:47.663Z",
"dateUpdated": "2024-08-02T21:01:22.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46699 (GCVE-0-2023-46699)
Vulnerability from nvd – Published: 2023-12-26 07:20 – Updated: 2024-09-12 12:36
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0. If a user views a malicious page while logging in, settings may be changed without the user's intention.
Severity ?
No CVSS data available.
CWE
- Cross-site request forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-04T18:22:27.439104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T12:36:17.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0. If a user views a malicious page while logging in, settings may be changed without the user\u0027s intention."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:48.092Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-46699",
"datePublished": "2023-12-26T07:20:48.092Z",
"dateReserved": "2023-12-07T02:39:49.423Z",
"dateUpdated": "2024-09-12T12:36:17.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45740 (GCVE-0-2023-45740)
Vulnerability from nvd – Published: 2023-12-26 07:20 – Updated: 2025-04-23 16:03
VLAI?
Summary
Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
5.4 (Medium)
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v4.1.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-45740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-02T17:52:27.722596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:03:49.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:42.853Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-45740",
"datePublished": "2023-12-26T07:20:42.853Z",
"dateReserved": "2023-12-07T02:39:50.226Z",
"dateUpdated": "2025-04-23T16:03:49.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45737 (GCVE-0-2023-45737)
Vulnerability from nvd – Published: 2023-12-26 07:20 – Updated: 2024-08-02 20:29
VLAI?
Summary
Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
prior to v3.5.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v3.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:36.390Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-45737",
"datePublished": "2023-12-26T07:20:36.390Z",
"dateReserved": "2023-12-07T02:39:48.512Z",
"dateUpdated": "2024-08-02T20:29:32.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50339 (GCVE-0-2023-50339)
Vulnerability from nvd – Published: 2023-12-26 07:20 – Updated: 2024-09-09 18:00
VLAI?
Summary
Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Affected:
v6.1.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-27T18:02:51.280364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T18:00:25.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v6.1.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:31.556Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50339",
"datePublished": "2023-12-26T07:20:31.556Z",
"dateReserved": "2023-12-07T02:39:54.055Z",
"dateUpdated": "2024-09-09T18:00:25.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2023-000123
Vulnerability from jvndb - Published: 2023-12-13 15:30 - Updated:2024-03-19 17:46
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
- Stored cross-site scripting vulnerability in the presentation feature (CWE-79) - CVE-2023-42436
- Stored cross-site scripting vulnerability in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page (CWE-79) - CVE-2023-45737
- Stored cross-site scripting vulnerability when processing profile images (CWE-79) - CVE-2023-45740
- Cross-site request forgery vulnerability in the User settings (/me) page (CWE-352) - CVE-2023-46699
- Stored cross-site scripting vulnerability exploiting a behavior of the XSS Filter (CWE-79) - CVE-2023-47215
- Stored cross-site scripting vulnerability via the img tags (CWE-79) - CVE-2023-49119
- Stored cross-site scripting vulnerability in the event handlers of the pre tags (CWE-79) - CVE-2023-49598
- Stored cross-site scripting vulnerability in the anchor tag (CWE-79) - CVE-2023-49779
- Stored cross-site scripting vulnerability when processing the MathJax (CWE-79) - CVE-2023-49807
- Stored cross-site scripting vulnerability in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page (CWE-79) - CVE-2023-50175
- Cleartext storage of sensitive information vulnerability in the App Settings (/admin/app) page's Secret access key (CWE-312) - CVE-2023-50294
- Improper authorization in the User Management (/admin/users) page (CWE-285) - CVE-2023-50332
- Stored cross-site scripting vulnerability in the User Management (/admin/users) page (CWE-79) - CVE-2023-50339
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000123.html",
"dc:date": "2024-03-19T17:46+09:00",
"dcterms:issued": "2023-12-13T15:30+09:00",
"dcterms:modified": "2024-03-19T17:46+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eStored cross-site scripting vulnerability in the presentation feature (CWE-79) - CVE-2023-42436\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page (CWE-79) - CVE-2023-45737\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability when processing profile images (CWE-79) - CVE-2023-45740\u003c/li\u003e\u003cli\u003eCross-site request forgery vulnerability in the User settings (/me) page (CWE-352) - CVE-2023-46699\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability exploiting a behavior of the XSS Filter (CWE-79) - CVE-2023-47215\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability via the img tags (CWE-79) - CVE-2023-49119\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the event handlers of the pre tags (CWE-79) - CVE-2023-49598\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the anchor tag (CWE-79) - CVE-2023-49779\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability when processing the MathJax (CWE-79) - CVE-2023-49807\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page (CWE-79) - CVE-2023-50175\u003c/li\u003e\u003cli\u003eCleartext storage of sensitive information vulnerability in the App Settings (/admin/app) page\u0027s Secret access key (CWE-312) - CVE-2023-50294\u003c/li\u003e\u003cli\u003eImproper authorization in the User Management (/admin/users) page (CWE-285) - CVE-2023-50332\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the User Management (/admin/users) page (CWE-79) - CVE-2023-50339\u003c/li\u003e\u003c/ul\u003e\r\nCVE-2023-42436\r\nKakeru Kajihara of NTT-ME System Operation Center reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-45737\r\nNaoki Takayama of University of Tsukuba reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-45740\r\nKanta Nishitani of GMO Cybersecurity by Ierae Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-46699\r\nNorihide Saito reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-47215, CVE-2023-49779\r\nNaoya Miyaguchi of Kanmu, Inc reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49119\r\nNaoki Takayama of University of Tsukuba, Suguru Itagaki of NTT-ME System Operation Center, and Norihide Saito of Flatt Security inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49598\r\nNaoya Miyaguchi of Kanmu, Inc, SHO ODAGIRI of GMO Cybersecurity by Ierae Inc., Tsubasa Fujii (@reinforchu), Eiji Mori of Flatt Security Inc., Shiga Takuma of BroadBand Security Inc., and Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49807\r\nNaoya Miyaguchi of Kanmu, Inc and Naoki Takayama of University of Tsukuba reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-50175\r\nNorihide Saito of Flatt Security inc., Naoya Miyaguchi of Kanmu, Inc, and Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-50294, CVE-2023-50332, CVE-2023-50339\r\nNorihide Saito of Flatt Security inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000123.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000123",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN18715935/index.html",
"@id": "JVN#18715935",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-42436",
"@id": "CVE-2023-42436",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-45737",
"@id": "CVE-2023-45737",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-45740",
"@id": "CVE-2023-45740",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-46699",
"@id": "CVE-2023-46699",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-47215",
"@id": "CVE-2023-47215",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49119",
"@id": "CVE-2023-49119",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49598",
"@id": "CVE-2023-49598",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49779",
"@id": "CVE-2023-49779",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49807",
"@id": "CVE-2023-49807",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50175",
"@id": "CVE-2023-50175",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50294",
"@id": "CVE-2023-50294",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50332",
"@id": "CVE-2023-50332",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50339",
"@id": "CVE-2023-50339",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-42436",
"@id": "CVE-2023-42436",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45737",
"@id": "CVE-2023-45737",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45740",
"@id": "CVE-2023-45740",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-46699",
"@id": "CVE-2023-46699",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-47215",
"@id": "CVE-2023-47215",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49119",
"@id": "CVE-2023-49119",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49598",
"@id": "CVE-2023-49598",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49779",
"@id": "CVE-2023-49779",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49807",
"@id": "CVE-2023-49807",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50175",
"@id": "CVE-2023-50175",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50294",
"@id": "CVE-2023-50294",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50332",
"@id": "CVE-2023-50332",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50339",
"@id": "CVE-2023-50339",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-352",
"@title": "Cross-Site Request Forgery(CWE-352)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
JVNDB-2022-000076
Vulnerability from jvndb - Published: 2022-10-07 14:30 - Updated:2024-06-12 12:04
Severity ?
Summary
Growi vulnerable to improper access control
Details
GROWI provided by WESEEK, Inc. contains an improper access control vulnerability (CWE-284).
Kenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000076.html",
"dc:date": "2024-06-12T12:04+09:00",
"dcterms:issued": "2022-10-07T14:30+09:00",
"dcterms:modified": "2024-06-12T12:04+09:00",
"description": "GROWI provided by WESEEK, Inc. contains an improper access control vulnerability (CWE-284).\r\n\r\nKenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000076.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-000076",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN00845253/index.html",
"@id": "JVN#00845253",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-41799",
"@id": "CVE-2022-41799",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-41799",
"@id": "CVE-2022-41799",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
}
],
"title": "Growi vulnerable to improper access control"
}
JVNDB-2022-001953
Vulnerability from jvndb - Published: 2022-06-15 17:47 - Updated:2022-06-15 17:47
Severity ?
Summary
Growi vulnerable to weak password requirements
Details
GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236).
418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
References
| Type | URL | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001953.html",
"dc:date": "2022-06-15T17:47+09:00",
"dcterms:issued": "2022-06-15T17:47+09:00",
"dcterms:modified": "2022-06-15T17:47+09:00",
"description": "GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236).\r\n\r\n418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001953.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.5",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-001953",
"sec:references": [
{
"#text": "http://jvn.jp/en/vu/JVNVU96438711/index.html",
"@id": "JVNVU#96438711",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-1236",
"@id": "CVE-2022-1236",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-1236",
"@id": "CVE-2022-1236",
"@source": "NVD"
},
{
"#text": "https://huntr.dev/bounties/c7df088f-e355-45e6-9267-e41030dc6a32/?token=7f784544ffb530a9e6bef04557518633e763810d60f107095451c58b34645b81ad18529d3ea12f3b61ba547c99a0d87b2324e52da6efc4b01ec175416c479099bf5de3d16b8f07f0758556c278d058872597936f0e4fea7acb2bd2bc",
"@id": "Weak Password Requirements in weseek/growi",
"@source": "Related document"
},
{
"#text": "https://cwe.mitre.org/data/definitions/521.html",
"@id": "CWE-521",
"@title": "Weak Password Requirements(CWE-521)"
}
],
"title": "Growi vulnerable to weak password requirements"
}
JVNDB-2022-001087
Vulnerability from jvndb - Published: 2022-01-24 14:07 - Updated:2022-01-24 14:07
Severity ?
Summary
GROWI vulnerable to authorization bypass through user-controlled key
Details
GROWI provided by WESEEK, Inc. contains an authorization bypass through user-controlled key vulnerability (CWE-639, CVE-2021-3852).
huntr first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as an intermediator. After the coordination between huntr and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
References
| Type | URL | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001087.html",
"dc:date": "2022-01-24T14:07+09:00",
"dcterms:issued": "2022-01-24T14:07+09:00",
"dcterms:modified": "2022-01-24T14:07+09:00",
"description": "GROWI provided by WESEEK, Inc. contains an authorization bypass through user-controlled key vulnerability (CWE-639, CVE-2021-3852).\r\n\r\nhuntr first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as an intermediator. After the coordination between huntr and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001087.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-001087",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU94151526/",
"@id": "JVNVU#94151526",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2021-3852",
"@id": "CVE-2021-3852",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-3852",
"@id": "CVE-2021-3852",
"@source": "NVD"
},
{
"#text": "https://huntr.dev/bounties/d44def81-2834-4031-9037-e923975c3852/",
"@id": "Authorization Bypass Through User-Controlled Key in weseek/growi",
"@source": "Related document"
},
{
"#text": "https://vuldb.com/?id.190179",
"@id": "VDB-190179 (GROWI AUTHORIZATION)",
"@source": "Related document"
},
{
"#text": "https://cwe.mitre.org/data/definitions/639.html",
"@id": "CWE-639",
"@title": "Authorization Bypass Through User-Controlled Key(CWE-639)"
}
],
"title": "GROWI vulnerable to authorization bypass through user-controlled key"
}