All the vulnerabilites related to WESEEK, Inc. - GROWI
cve-2021-20737
Vulnerability from cvelistv5
Published
2021-06-22 01:35
Modified
2024-08-03 17:53
Severity ?
EPSS score ?
Summary
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/ | x_refsource_MISC | |
| https://jvn.jp/en/jp/JVN95457785/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:21.843Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN95457785/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions prior to v4.2.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-22T01:35:51",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN95457785/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20737",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions prior to v4.2.20"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/"
},
{
"name": "https://jvn.jp/en/jp/JVN95457785/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN95457785/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20737",
"datePublished": "2021-06-22T01:35:51",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:21.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47215
Vulnerability from cvelistv5
Published
2023-12-26 07:20
Modified
2024-08-02 21:01
Severity ?
EPSS score ?
Summary
Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:53.804Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-47215",
"datePublished": "2023-12-26T07:20:53.804Z",
"dateReserved": "2023-12-07T02:39:47.663Z",
"dateUpdated": "2024-08-02T21:01:22.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-46699
Vulnerability from cvelistv5
Published
2023-12-26 07:20
Modified
2024-09-12 12:36
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0. If a user views a malicious page while logging in, settings may be changed without the user's intention.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-04T18:22:27.439104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T12:36:17.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0. If a user views a malicious page while logging in, settings may be changed without the user\u0027s intention."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:48.092Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-46699",
"datePublished": "2023-12-26T07:20:48.092Z",
"dateReserved": "2023-12-07T02:39:49.423Z",
"dateUpdated": "2024-09-12T12:36:17.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-20670
Vulnerability from cvelistv5
Published
2021-03-10 09:20
Modified
2024-08-03 17:45
Severity ?
EPSS score ?
Summary
Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's personal information and/or server's internal information via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/ | x_refsource_MISC | |
| https://jvn.jp/en/vu/JVNVU94889258/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:45:45.348Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions v4.2.2 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user\u0027s personal information and/or server\u0027s internal information via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-10T09:20:33",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20670",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions v4.2.2 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user\u0027s personal information and/or server\u0027s internal information via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"name": "https://jvn.jp/en/vu/JVNVU94889258/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20670",
"datePublished": "2021-03-10T09:20:33",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:45:45.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-20829
Vulnerability from cvelistv5
Published
2021-09-21 09:25
Modified
2024-08-03 17:53
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability due to the inadequate tag sanitization in GROWI versions v4.2.19 and earlier allows remote attackers to execute an arbitrary script on the web browser of the user who accesses a specially crafted page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jvn.jp/en/vu/JVNVU94889258/index.html | x_refsource_MISC | |
| https://weseek.co.jp/security/2021/09/17/vulnerability/growi-prevent-multiple-xss-addition/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:23.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/09/17/vulnerability/growi-prevent-multiple-xss-addition/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions v4.2.19 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability due to the inadequate tag sanitization in GROWI versions v4.2.19 and earlier allows remote attackers to execute an arbitrary script on the web browser of the user who accesses a specially crafted page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-21T09:25:10",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/09/17/vulnerability/growi-prevent-multiple-xss-addition/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20829",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions v4.2.19 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability due to the inadequate tag sanitization in GROWI versions v4.2.19 and earlier allows remote attackers to execute an arbitrary script on the web browser of the user who accesses a specially crafted page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jvn.jp/en/vu/JVNVU94889258/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
},
{
"name": "https://weseek.co.jp/security/2021/09/17/vulnerability/growi-prevent-multiple-xss-addition/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/09/17/vulnerability/growi-prevent-multiple-xss-addition/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20829",
"datePublished": "2021-09-21T09:25:10",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:23.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49807
Vulnerability from cvelistv5
Published
2023-12-26 07:21
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.024Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:11.658Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49807",
"datePublished": "2023-12-26T07:21:11.658Z",
"dateReserved": "2023-12-07T02:39:44.808Z",
"dateUpdated": "2024-08-02T22:01:26.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-5968
Vulnerability from cvelistv5
Published
2019-07-05 13:20
Modified
2024-08-04 20:09
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user's 'Basic Info'.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/ | x_refsource_MISC | |
| https://jvn.jp/en/jp/JVN84876282/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:09:23.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN84876282/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v3.4.6 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user\u0027s \u0027Basic Info\u0027."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-05T13:20:17",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN84876282/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2019-5968",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v3.4.6 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user\u0027s \u0027Basic Info\u0027."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/"
},
{
"name": "https://jvn.jp/en/jp/JVN84876282/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN84876282/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2019-5968",
"datePublished": "2019-07-05T13:20:17",
"dateReserved": "2019-01-10T00:00:00",
"dateUpdated": "2024-08-04T20:09:23.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-5677
Vulnerability from cvelistv5
Published
2020-12-03 11:15
Modified
2024-08-04 08:39
Severity ?
EPSS score ?
Summary
Reflected cross-site scripting vulnerability in GROWI v4.0.0 and earlier allows remote attackers to inject arbitrary script via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/weseek/growi | x_refsource_MISC | |
| https://hub.docker.com/r/weseek/growi/ | x_refsource_MISC | |
| https://jvn.jp/en/jp/JVN56450373/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v4.0.0 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Reflected cross-site scripting vulnerability in GROWI v4.0.0 and earlier allows remote attackers to inject arbitrary script via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-03T11:15:31",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5677",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v4.0.0 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Reflected cross-site scripting vulnerability in GROWI v4.0.0 and earlier allows remote attackers to inject arbitrary script via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/weseek/growi",
"refsource": "MISC",
"url": "https://github.com/weseek/growi"
},
{
"name": "https://hub.docker.com/r/weseek/growi/",
"refsource": "MISC",
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"name": "https://jvn.jp/en/jp/JVN56450373/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5677",
"datePublished": "2020-12-03T11:15:32",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:39:25.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-50294
Vulnerability from cvelistv5
Published
2023-12-26 07:21
Modified
2024-08-02 22:16
Severity ?
EPSS score ?
Summary
The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.259Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cleartext storage of sensitive information",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:19.831Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50294",
"datePublished": "2023-12-26T07:21:19.831Z",
"dateReserved": "2023-12-07T02:39:43.973Z",
"dateUpdated": "2024-08-02T22:16:46.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49119
Vulnerability from cvelistv5
Published
2023-12-26 07:20
Modified
2024-08-02 21:46
Severity ?
EPSS score ?
Summary
Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:29.293Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:58.393Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49119",
"datePublished": "2023-12-26T07:20:58.393Z",
"dateReserved": "2023-12-07T02:39:46.701Z",
"dateUpdated": "2024-08-02T21:46:29.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-0698
Vulnerability from cvelistv5
Published
2019-01-09 22:00
Modified
2024-08-05 03:35
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jvn.jp/en/jp/JVN96493183/index.html | third-party-advisory, x_refsource_JVN | |
| https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:49.060Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#96493183",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN96493183/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v3.2.3 and earlier"
}
]
}
],
"datePublic": "2019-01-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T21:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#96493183",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "https://jvn.jp/en/jp/JVN96493183/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0698",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v3.2.3 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#96493183",
"refsource": "JVN",
"url": "https://jvn.jp/en/jp/JVN96493183/index.html"
},
{
"name": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0698",
"datePublished": "2019-01-09T22:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:49.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-42436
Vulnerability from cvelistv5
Published
2023-12-26 07:22
Modified
2024-08-02 19:16
Severity ?
EPSS score ?
Summary
Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:16:51.003Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v3.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:22:50.373Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-42436",
"datePublished": "2023-12-26T07:22:50.373Z",
"dateReserved": "2023-12-07T02:39:45.772Z",
"dateUpdated": "2024-08-02T19:16:51.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-50332
Vulnerability from cvelistv5
Published
2023-12-26 07:21
Modified
2024-08-02 22:16
Severity ?
EPSS score ?
Summary
Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. If this vulnerability is exploited, a user may delete or suspend its own account without the user's intention.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. If this vulnerability is exploited, a user may delete or suspend its own account without the user\u0027s intention.\r\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:24.393Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50332",
"datePublished": "2023-12-26T07:21:24.393Z",
"dateReserved": "2023-12-07T02:39:51.268Z",
"dateUpdated": "2024-08-02T22:16:46.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-50175
Vulnerability from cvelistv5
Published
2023-12-26 07:21
Modified
2024-08-02 22:09
Severity ?
EPSS score ?
Summary
Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:15.728Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50175",
"datePublished": "2023-12-26T07:21:15.728Z",
"dateReserved": "2023-12-07T02:39:52.053Z",
"dateUpdated": "2024-08-02T22:09:49.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49779
Vulnerability from cvelistv5
Published
2023-12-26 07:21
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.681Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:06.972Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49779",
"datePublished": "2023-12-26T07:21:06.972Z",
"dateReserved": "2023-12-07T02:39:53.189Z",
"dateUpdated": "2024-08-02T22:01:25.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45737
Vulnerability from cvelistv5
Published
2023-12-26 07:20
Modified
2024-08-02 20:29
Severity ?
EPSS score ?
Summary
Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v3.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:36.390Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-45737",
"datePublished": "2023-12-26T07:20:36.390Z",
"dateReserved": "2023-12-07T02:39:48.512Z",
"dateUpdated": "2024-08-02T20:29:32.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-20668
Vulnerability from cvelistv5
Published
2021-03-10 09:20
Modified
2024-08-03 17:45
Severity ?
EPSS score ?
Summary
Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/ | x_refsource_MISC | |
| https://jvn.jp/en/vu/JVNVU94889258/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:45:45.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions v4.2.2 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-10T09:20:31",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20668",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions v4.2.2 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"name": "https://jvn.jp/en/vu/JVNVU94889258/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20668",
"datePublished": "2021-03-10T09:20:31",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:45:45.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-20669
Vulnerability from cvelistv5
Published
2021-03-10 09:20
Modified
2024-08-03 17:45
Severity ?
EPSS score ?
Summary
Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/ | x_refsource_MISC | |
| https://jvn.jp/en/vu/JVNVU94889258/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:45:45.355Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions v4.2.2 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-10T09:20:32",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20669",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions v4.2.2 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"name": "https://jvn.jp/en/vu/JVNVU94889258/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20669",
"datePublished": "2021-03-10T09:20:32",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:45:45.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-20736
Vulnerability from cvelistv5
Published
2021-06-22 01:35
Modified
2024-08-03 17:53
Severity ?
EPSS score ?
Summary
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/ | x_refsource_MISC | |
| https://jvn.jp/en/jp/JVN95457785/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:21.832Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN95457785/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions prior to v4.2.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "NoSQL injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-22T01:35:50",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN95457785/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20736",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions prior to v4.2.20"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "NoSQL injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/"
},
{
"name": "https://jvn.jp/en/jp/JVN95457785/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN95457785/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20736",
"datePublished": "2021-06-22T01:35:50",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:21.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-5969
Vulnerability from cvelistv5
Published
2019-07-05 13:20
Modified
2024-08-04 20:09
Severity ?
EPSS score ?
Summary
Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct phishing attacks via the process of login.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/ | x_refsource_MISC | |
| https://jvn.jp/en/jp/JVN84876282/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:09:23.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN84876282/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v3.4.6 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct phishing attacks via the process of login."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-05T13:20:17",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN84876282/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2019-5969",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v3.4.6 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct phishing attacks via the process of login."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Open Redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/"
},
{
"name": "https://jvn.jp/en/jp/JVN84876282/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN84876282/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2019-5969",
"datePublished": "2019-07-05T13:20:17",
"dateReserved": "2019-01-10T00:00:00",
"dateUpdated": "2024-08-04T20:09:23.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-5676
Vulnerability from cvelistv5
Published
2020-12-03 11:15
Modified
2024-08-04 08:39
Severity ?
EPSS score ?
Summary
GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/weseek/growi | x_refsource_MISC | |
| https://hub.docker.com/r/weseek/growi/ | x_refsource_MISC | |
| https://jvn.jp/en/jp/JVN56450373/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.482Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v4.1.3 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-03T11:15:31",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5676",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v4.1.3 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/weseek/growi",
"refsource": "MISC",
"url": "https://github.com/weseek/growi"
},
{
"name": "https://hub.docker.com/r/weseek/growi/",
"refsource": "MISC",
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"name": "https://jvn.jp/en/jp/JVN56450373/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5676",
"datePublished": "2020-12-03T11:15:31",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:39:25.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-0653
Vulnerability from cvelistv5
Published
2018-09-07 14:00
Modified
2024-08-05 03:35
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/ | x_refsource_CONFIRM | |
| http://jvn.jp/en/jp/JVN18716340/index.html | third-party-advisory, x_refsource_JVN |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:48.690Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v.3.1.11 and earlier"
}
]
}
],
"datePublic": "2018-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-07T13:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0653",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v.3.1.11 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/",
"refsource": "CONFIRM",
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0653",
"datePublished": "2018-09-07T14:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:48.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-5678
Vulnerability from cvelistv5
Published
2020-12-03 11:15
Modified
2024-08-04 08:39
Severity ?
EPSS score ?
Summary
Stored cross-site scripting vulnerability in GROWI v3.8.1 and earlier allows remote attackers to inject arbitrary script via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/weseek/growi | x_refsource_MISC | |
| https://hub.docker.com/r/weseek/growi/ | x_refsource_MISC | |
| https://jvn.jp/en/jp/JVN56450373/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.526Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v3.8.1 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability in GROWI v3.8.1 and earlier allows remote attackers to inject arbitrary script via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-03T11:15:32",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5678",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v3.8.1 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stored cross-site scripting vulnerability in GROWI v3.8.1 and earlier allows remote attackers to inject arbitrary script via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/weseek/growi",
"refsource": "MISC",
"url": "https://github.com/weseek/growi"
},
{
"name": "https://hub.docker.com/r/weseek/growi/",
"refsource": "MISC",
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"name": "https://jvn.jp/en/jp/JVN56450373/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5678",
"datePublished": "2020-12-03T11:15:32",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:39:25.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-5682
Vulnerability from cvelistv5
Published
2020-12-16 07:45
Modified
2024-08-04 08:39
Severity ?
EPSS score ?
Summary
Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attackers to cause a denial of service via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/weseek/growi | x_refsource_MISC | |
| https://hub.docker.com/r/weseek/growi/ | x_refsource_MISC | |
| https://jvn.jp/en/jp/JVN94169589/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN94169589/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attackers to cause a denial of service via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-16T07:45:18",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN94169589/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5682",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attackers to cause a denial of service via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/weseek/growi",
"refsource": "MISC",
"url": "https://github.com/weseek/growi"
},
{
"name": "https://hub.docker.com/r/weseek/growi/",
"refsource": "MISC",
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"name": "https://jvn.jp/en/jp/JVN94169589/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN94169589/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5682",
"datePublished": "2020-12-16T07:45:18",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:39:25.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45740
Vulnerability from cvelistv5
Published
2023-12-26 07:20
Modified
2024-08-02 20:29
Severity ?
EPSS score ?
Summary
Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:42.853Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-45740",
"datePublished": "2023-12-26T07:20:42.853Z",
"dateReserved": "2023-12-07T02:39:50.226Z",
"dateUpdated": "2024-08-02T20:29:32.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-5683
Vulnerability from cvelistv5
Published
2020-12-16 07:45
Modified
2024-08-04 08:39
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attackers to alter the data by uploading a specially crafted file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/weseek/growi | x_refsource_MISC | |
| https://hub.docker.com/r/weseek/growi/ | x_refsource_MISC | |
| https://jvn.jp/en/jp/JVN94169589/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.766Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN94169589/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attackers to alter the data by uploading a specially crafted file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-16T07:45:19",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN94169589/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5683",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attackers to alter the data by uploading a specially crafted file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Directory traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/weseek/growi",
"refsource": "MISC",
"url": "https://github.com/weseek/growi"
},
{
"name": "https://hub.docker.com/r/weseek/growi/",
"refsource": "MISC",
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"name": "https://jvn.jp/en/jp/JVN94169589/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN94169589/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5683",
"datePublished": "2020-12-16T07:45:19",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:39:25.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-50339
Vulnerability from cvelistv5
Published
2023-12-26 07:20
Modified
2024-09-09 18:00
Severity ?
EPSS score ?
Summary
Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-27T18:02:51.280364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T18:00:25.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v6.1.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:31.556Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50339",
"datePublished": "2023-12-26T07:20:31.556Z",
"dateReserved": "2023-12-07T02:39:54.055Z",
"dateUpdated": "2024-09-09T18:00:25.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-16205
Vulnerability from cvelistv5
Published
2019-01-09 22:00
Modified
2024-08-05 10:17
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page modal.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jvn.jp/en/jp/JVN96493183/index.html | third-party-advisory, x_refsource_JVN | |
| https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:17:38.294Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#96493183",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN96493183/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v3.2.3 and earlier"
}
]
}
],
"datePublic": "2019-01-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page modal."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T21:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#96493183",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "https://jvn.jp/en/jp/JVN96493183/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-16205",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v3.2.3 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page modal."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#96493183",
"refsource": "JVN",
"url": "https://jvn.jp/en/jp/JVN96493183/index.html"
},
{
"name": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-16205",
"datePublished": "2019-01-09T22:00:00",
"dateReserved": "2018-08-30T00:00:00",
"dateUpdated": "2024-08-05T10:17:38.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-0655
Vulnerability from cvelistv5
Published
2018-09-07 14:00
Modified
2024-08-05 03:35
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/ | x_refsource_CONFIRM | |
| http://jvn.jp/en/jp/JVN18716340/index.html | third-party-advisory, x_refsource_JVN |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:48.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v.3.1.11 and earlier"
}
]
}
],
"datePublic": "2018-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-07T13:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0655",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v.3.1.11 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/",
"refsource": "CONFIRM",
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0655",
"datePublished": "2018-09-07T14:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:48.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-20671
Vulnerability from cvelistv5
Published
2021-03-10 09:20
Modified
2024-08-03 17:45
Severity ?
EPSS score ?
Summary
Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/ | x_refsource_MISC | |
| https://jvn.jp/en/vu/JVNVU94889258/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:45:45.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions v4.2.2 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-10T09:20:34",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20671",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions v4.2.2 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"name": "https://jvn.jp/en/vu/JVNVU94889258/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20671",
"datePublished": "2021-03-10T09:20:34",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:45:45.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-20667
Vulnerability from cvelistv5
Published
2021-03-10 09:20
Modified
2024-08-03 17:45
Severity ?
EPSS score ?
Summary
Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/ | x_refsource_MISC | |
| https://jvn.jp/en/vu/JVNVU94889258/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:45:45.356Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions v4.2.2 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-10T09:20:30",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20667",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions v4.2.2 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"name": "https://jvn.jp/en/vu/JVNVU94889258/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20667",
"datePublished": "2021-03-10T09:20:31",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:45:45.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-0652
Vulnerability from cvelistv5
Published
2018-09-07 14:00
Modified
2024-08-05 03:35
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/ | x_refsource_CONFIRM | |
| http://jvn.jp/en/jp/JVN18716340/index.html | third-party-advisory, x_refsource_JVN |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:48.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v.3.1.11 and earlier"
}
]
}
],
"datePublic": "2018-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-07T13:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0652",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v.3.1.11 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/",
"refsource": "CONFIRM",
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0652",
"datePublished": "2018-09-07T14:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:48.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-0654
Vulnerability from cvelistv5
Published
2018-09-07 14:00
Modified
2024-08-05 03:35
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/ | x_refsource_CONFIRM | |
| http://jvn.jp/en/jp/JVN18716340/index.html | third-party-advisory, x_refsource_JVN |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:49.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v.3.1.11 and earlier"
}
]
}
],
"datePublic": "2018-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-07T13:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0654",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v.3.1.11 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/",
"refsource": "CONFIRM",
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0654",
"datePublished": "2018-09-07T14:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:49.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49598
Vulnerability from cvelistv5
Published
2023-12-26 07:21
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.946Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:02.611Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49598",
"datePublished": "2023-12-26T07:21:02.611Z",
"dateReserved": "2023-12-07T02:39:42.967Z",
"dateUpdated": "2024-08-02T22:01:25.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2021-000050
Vulnerability from jvndb
Published
2021-06-14 15:10
Modified
2021-06-14 15:10
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
*NoSQL injection (CWE-943) - CVE-2021-20736
*Improper authentication (CWE-287) - CVE-2021-20737
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000050.html",
"dc:date": "2021-06-14T15:10+09:00",
"dcterms:issued": "2021-06-14T15:10+09:00",
"dcterms:modified": "2021-06-14T15:10+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n*NoSQL injection (CWE-943) - CVE-2021-20736\r\n*Improper authentication (CWE-287) - CVE-2021-20737",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000050.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000050",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN95457785/",
"@id": "JVN#95457785",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20736",
"@id": "CVE-2021-20736",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20737",
"@id": "CVE-2021-20737",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20736",
"@id": "CVE-2021-20736",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20737",
"@id": "CVE-2021-20737",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-287",
"@title": "Improper Authentication(CWE-287)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2019-000033
Vulnerability from jvndb
Published
2019-06-07 15:18
Modified
2019-10-01 10:46
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
* Cross-site request forgery vulnerability in the process of updating user's "Basic Info" (CWE-352) - CVE-2019-5968
* Open redirect vulnerability in the process of login (CWE-601) - CVE-2019-5969
Security Group of DeCurret Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN84876282/index.html | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5968 | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5969 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2019-5968 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2019-5969 | |
| Improper Input Validation(CWE-20) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
| Cross-Site Request Forgery(CWE-352) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000033.html",
"dc:date": "2019-10-01T10:46+09:00",
"dcterms:issued": "2019-06-07T15:18+09:00",
"dcterms:modified": "2019-10-01T10:46+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. \r\n* Cross-site request forgery vulnerability in the process of updating user\u0027s \"Basic Info\" (CWE-352) - CVE-2019-5968\r\n* Open redirect vulnerability in the process of login (CWE-601) - CVE-2019-5969\r\n\r\nSecurity Group of DeCurret Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000033.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2019-000033",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN84876282/index.html",
"@id": "JVN#84876282",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5968",
"@id": "CVE-2019-5968",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5969",
"@id": "CVE-2019-5969",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-5968",
"@id": "CVE-2019-5968",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-5969",
"@id": "CVE-2019-5969",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-352",
"@title": "Cross-Site Request Forgery(CWE-352)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2022-000076
Vulnerability from jvndb
Published
2022-10-07 14:30
Modified
2024-06-12 12:04
Severity ?
Summary
Growi vulnerable to improper access control
Details
GROWI provided by WESEEK, Inc. contains an improper access control vulnerability (CWE-284).
Kenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000076.html",
"dc:date": "2024-06-12T12:04+09:00",
"dcterms:issued": "2022-10-07T14:30+09:00",
"dcterms:modified": "2024-06-12T12:04+09:00",
"description": "GROWI provided by WESEEK, Inc. contains an improper access control vulnerability (CWE-284).\r\n\r\nKenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000076.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-000076",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN00845253/index.html",
"@id": "JVN#00845253",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-41799",
"@id": "CVE-2022-41799",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-41799",
"@id": "CVE-2022-41799",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
}
],
"title": "Growi vulnerable to improper access control"
}
jvndb-2021-001123
Vulnerability from jvndb
Published
2021-03-09 14:17
Modified
2021-09-24 13:34
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
Stored Cross-site Scripting (CWE-79) - CVE-2021-20667
Path Traversal (CWE-22) - CVE-2021-20668
Path Traversal (CWE-22) - CVE-2021-20669
Improper Access Control (CWE-284) - CVE-2021-20670
Improper Input Validation (CWE-20) - CVE-2021-20671
Site Scripting (CWE-79) - CVE-2021-20829
stypr of Flatt Security Inc. reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI | |
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-001123.html",
"dc:date": "2021-09-24T13:34+09:00",
"dcterms:issued": "2021-03-09T14:17+09:00",
"dcterms:modified": "2021-09-24T13:34+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n\r\n Stored Cross-site Scripting (CWE-79) - CVE-2021-20667\r\n Path Traversal (CWE-22) - CVE-2021-20668\r\n Path Traversal (CWE-22) - CVE-2021-20669\r\n Improper Access Control (CWE-284) - CVE-2021-20670\r\n Improper Input Validation (CWE-20) - CVE-2021-20671\r\n Site Scripting (CWE-79) - CVE-2021-20829\r\n\r\nstypr of Flatt Security Inc. reported these vulnerabilities to the developer and coordinated on his own.\r\nAfter coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-001123.html",
"sec:cpe": [
{
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "3.7",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2021-001123",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU94889258/",
"@id": "JVNVU#94889258",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20667",
"@id": "CVE-2021-20667",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20668",
"@id": "CVE-2021-20668",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20669",
"@id": "CVE-2021-20669",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20670",
"@id": "CVE-2021-20670",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20671",
"@id": "CVE-2021-20671",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20829",
"@id": "CVE-2021-20829",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20667",
"@id": "CVE-2021-20667",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20668",
"@id": "CVE-2021-20668",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20669",
"@id": "CVE-2021-20669",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20670",
"@id": "CVE-2021-20670",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20671",
"@id": "CVE-2021-20671",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20829",
"@id": "CVE-2021-20829",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/284.html",
"@id": "CWE-284",
"@title": "Improper Access Control(CWE-284)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2018-000085
Vulnerability from jvndb
Published
2018-08-03 15:04
Modified
2019-07-05 17:13
Severity ?
Summary
Multiple cross-site scripting vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.
* Stored cross-site scripting vulnerability in the UserGroup Management section of admin page (CWE-79) - CVE-2018-0652
* Stored cross-site scripting vulnerability in Wiki page view (CWE-79) - CVE-2018-0653
* Reflected cross-site scripting vulnerability in the modal for creating Wiki page (CWE-79) - CVE-2018-0654
* Stored cross-site scripting in the app settings section of admin page (CWE-79) - CVE-2018-0655
The following researchers reported the vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2018-0652, CVE-2018-0653
Yoshinori Hayashi of Information Science College
CVE-2018-0654, CVE-2018-0655
Kanta Nishitani of Information Science College
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000085.html",
"dc:date": "2019-07-05T17:13+09:00",
"dcterms:issued": "2018-08-03T15:04+09:00",
"dcterms:modified": "2019-07-05T17:13+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below. \r\n* Stored cross-site scripting vulnerability in the UserGroup Management section of admin page (CWE-79) - CVE-2018-0652 \r\n* Stored cross-site scripting vulnerability in Wiki page view (CWE-79) - CVE-2018-0653 \r\n* Reflected cross-site scripting vulnerability in the modal for creating Wiki page (CWE-79) - CVE-2018-0654 \r\n* Stored cross-site scripting in the app settings section of admin page (CWE-79) - CVE-2018-0655\r\n\r\nThe following researchers reported the vulnerabilities to IPA.\r\n JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\n CVE-2018-0652, CVE-2018-0653\r\n Yoshinori Hayashi of Information Science College\r\n\r\n CVE-2018-0654, CVE-2018-0655\r\n Kanta Nishitani of Information Science College",
"link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000085.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2018-000085",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN18716340/index.html",
"@id": "JVN#18716340",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0652",
"@id": "CVE-2018-0652",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0653",
"@id": "CVE-2018-0653",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0654",
"@id": "CVE-2018-0654",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0655",
"@id": "CVE-2018-0655",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0652",
"@id": "CVE-2018-0652",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0653",
"@id": "CVE-2018-0653",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0654",
"@id": "CVE-2018-0654",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0655",
"@id": "CVE-2018-0655",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple cross-site scripting vulnerabilities in GROWI"
}
jvndb-2023-000123
Vulnerability from jvndb
Published
2023-12-13 15:30
Modified
2024-03-19 17:46
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
<ul><li>Stored cross-site scripting vulnerability in the presentation feature (CWE-79) - CVE-2023-42436</li><li>Stored cross-site scripting vulnerability in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page (CWE-79) - CVE-2023-45737</li><li>Stored cross-site scripting vulnerability when processing profile images (CWE-79) - CVE-2023-45740</li><li>Cross-site request forgery vulnerability in the User settings (/me) page (CWE-352) - CVE-2023-46699</li><li>Stored cross-site scripting vulnerability exploiting a behavior of the XSS Filter (CWE-79) - CVE-2023-47215</li><li>Stored cross-site scripting vulnerability via the img tags (CWE-79) - CVE-2023-49119</li><li>Stored cross-site scripting vulnerability in the event handlers of the pre tags (CWE-79) - CVE-2023-49598</li><li>Stored cross-site scripting vulnerability in the anchor tag (CWE-79) - CVE-2023-49779</li><li>Stored cross-site scripting vulnerability when processing the MathJax (CWE-79) - CVE-2023-49807</li><li>Stored cross-site scripting vulnerability in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page (CWE-79) - CVE-2023-50175</li><li>Cleartext storage of sensitive information vulnerability in the App Settings (/admin/app) page's Secret access key (CWE-312) - CVE-2023-50294</li><li>Improper authorization in the User Management (/admin/users) page (CWE-285) - CVE-2023-50332</li><li>Stored cross-site scripting vulnerability in the User Management (/admin/users) page (CWE-79) - CVE-2023-50339</li></ul>
CVE-2023-42436
Kakeru Kajihara of NTT-ME System Operation Center reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-45737
Naoki Takayama of University of Tsukuba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-45740
Kanta Nishitani of GMO Cybersecurity by Ierae Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-46699
Norihide Saito reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-47215, CVE-2023-49779
Naoya Miyaguchi of Kanmu, Inc reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-49119
Naoki Takayama of University of Tsukuba, Suguru Itagaki of NTT-ME System Operation Center, and Norihide Saito of Flatt Security inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-49598
Naoya Miyaguchi of Kanmu, Inc, SHO ODAGIRI of GMO Cybersecurity by Ierae Inc., Tsubasa Fujii (@reinforchu), Eiji Mori of Flatt Security Inc., Shiga Takuma of BroadBand Security Inc., and Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-49807
Naoya Miyaguchi of Kanmu, Inc and Naoki Takayama of University of Tsukuba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-50175
Norihide Saito of Flatt Security inc., Naoya Miyaguchi of Kanmu, Inc, and Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-50294, CVE-2023-50332, CVE-2023-50339
Norihide Saito of Flatt Security inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000123.html",
"dc:date": "2024-03-19T17:46+09:00",
"dcterms:issued": "2023-12-13T15:30+09:00",
"dcterms:modified": "2024-03-19T17:46+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eStored cross-site scripting vulnerability in the presentation feature (CWE-79) - CVE-2023-42436\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page (CWE-79) - CVE-2023-45737\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability when processing profile images (CWE-79) - CVE-2023-45740\u003c/li\u003e\u003cli\u003eCross-site request forgery vulnerability in the User settings (/me) page (CWE-352) - CVE-2023-46699\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability exploiting a behavior of the XSS Filter (CWE-79) - CVE-2023-47215\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability via the img tags (CWE-79) - CVE-2023-49119\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the event handlers of the pre tags (CWE-79) - CVE-2023-49598\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the anchor tag (CWE-79) - CVE-2023-49779\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability when processing the MathJax (CWE-79) - CVE-2023-49807\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page (CWE-79) - CVE-2023-50175\u003c/li\u003e\u003cli\u003eCleartext storage of sensitive information vulnerability in the App Settings (/admin/app) page\u0027s Secret access key (CWE-312) - CVE-2023-50294\u003c/li\u003e\u003cli\u003eImproper authorization in the User Management (/admin/users) page (CWE-285) - CVE-2023-50332\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the User Management (/admin/users) page (CWE-79) - CVE-2023-50339\u003c/li\u003e\u003c/ul\u003e\r\nCVE-2023-42436\r\nKakeru Kajihara of NTT-ME System Operation Center reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-45737\r\nNaoki Takayama of University of Tsukuba reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-45740\r\nKanta Nishitani of GMO Cybersecurity by Ierae Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-46699\r\nNorihide Saito reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-47215, CVE-2023-49779\r\nNaoya Miyaguchi of Kanmu, Inc reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49119\r\nNaoki Takayama of University of Tsukuba, Suguru Itagaki of NTT-ME System Operation Center, and Norihide Saito of Flatt Security inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49598\r\nNaoya Miyaguchi of Kanmu, Inc, SHO ODAGIRI of GMO Cybersecurity by Ierae Inc., Tsubasa Fujii (@reinforchu), Eiji Mori of Flatt Security Inc., Shiga Takuma of BroadBand Security Inc., and Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49807\r\nNaoya Miyaguchi of Kanmu, Inc and Naoki Takayama of University of Tsukuba reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-50175\r\nNorihide Saito of Flatt Security inc., Naoya Miyaguchi of Kanmu, Inc, and Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-50294, CVE-2023-50332, CVE-2023-50339\r\nNorihide Saito of Flatt Security inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000123.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000123",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN18715935/index.html",
"@id": "JVN#18715935",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-42436",
"@id": "CVE-2023-42436",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-45737",
"@id": "CVE-2023-45737",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-45740",
"@id": "CVE-2023-45740",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-46699",
"@id": "CVE-2023-46699",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-47215",
"@id": "CVE-2023-47215",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49119",
"@id": "CVE-2023-49119",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49598",
"@id": "CVE-2023-49598",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49779",
"@id": "CVE-2023-49779",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49807",
"@id": "CVE-2023-49807",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50175",
"@id": "CVE-2023-50175",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50294",
"@id": "CVE-2023-50294",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50332",
"@id": "CVE-2023-50332",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50339",
"@id": "CVE-2023-50339",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-42436",
"@id": "CVE-2023-42436",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45737",
"@id": "CVE-2023-45737",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45740",
"@id": "CVE-2023-45740",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-46699",
"@id": "CVE-2023-46699",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-47215",
"@id": "CVE-2023-47215",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49119",
"@id": "CVE-2023-49119",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49598",
"@id": "CVE-2023-49598",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49779",
"@id": "CVE-2023-49779",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49807",
"@id": "CVE-2023-49807",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50175",
"@id": "CVE-2023-50175",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50294",
"@id": "CVE-2023-50294",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50332",
"@id": "CVE-2023-50332",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50339",
"@id": "CVE-2023-50339",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-352",
"@title": "Cross-Site Request Forgery(CWE-352)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2021-000019
Vulnerability from jvndb
Published
2021-03-10 16:11
Modified
2021-03-10 16:11
Severity ?
Summary
Multiple cross-site scripting vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.
*Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters (CWE-79) - CVE-2021-20672
*Stored cross-site scripting vulnerability in Admin Page (CWE-79) - CVE-2021-20673
Naoya Miyaguchi of 3-shake Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000019.html",
"dc:date": "2021-03-10T16:11+09:00",
"dcterms:issued": "2021-03-10T16:11+09:00",
"dcterms:modified": "2021-03-10T16:11+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.\r\n*Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters (CWE-79) - CVE-2021-20672\r\n*Stored cross-site scripting vulnerability in Admin Page (CWE-79) - CVE-2021-20673\r\n\r\nNaoya Miyaguchi of 3-shake Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000019.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "3.5",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000019",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN86438134/index.html",
"@id": "JVN#86438134",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20672",
"@id": "CVE-2021-20672",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20673",
"@id": "CVE-2021-20673",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20672",
"@id": "CVE-2021-20672",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20673",
"@id": "CVE-2021-20673",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple cross-site scripting vulnerabilities in GROWI"
}
jvndb-2021-000005
Vulnerability from jvndb
Published
2021-01-19 14:05
Modified
2021-01-19 14:05
Severity ?
Summary
GROWI vulnerable to cross-site scripting
Details
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN57544707/index.html | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20619 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2021-20619 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000005.html",
"dc:date": "2021-01-19T14:05+09:00",
"dcterms:issued": "2021-01-19T14:05+09:00",
"dcterms:modified": "2021-01-19T14:05+09:00",
"description": "GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000005.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000005",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN57544707/index.html",
"@id": "JVN#57544707",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20619",
"@id": "CVE-2021-20619",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20619",
"@id": "CVE-2021-20619",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "GROWI vulnerable to cross-site scripting"
}
jvndb-2020-000085
Vulnerability from jvndb
Published
2020-12-15 15:41
Modified
2021-08-30 16:29
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
* Denial-of-service (DoS) due to improper verification of input values (CWE-400) - CVE-2020-5682
* Directory traversal due to improper verification of uploaded files (CWE-22) - CVE-2020-5683
These vulnerabilities were reported by the following persons to IPA, and JPCERT/CC coordinated coordinated with the developer under Information Security Early Warning Partnership.
CVE-2020-5682
Norihide Saito of Information Science College / Flatt Security inc.
CVE-2020-5683
Daisuke Takahashi of CyberAgent, Inc.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000085.html",
"dc:date": "2021-08-30T16:29+09:00",
"dcterms:issued": "2020-12-15T15:41+09:00",
"dcterms:modified": "2021-08-30T16:29+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n* Denial-of-service (DoS) due to improper verification of input values (CWE-400) - CVE-2020-5682\r\n* Directory traversal due to improper verification of uploaded files (CWE-22) - CVE-2020-5683\r\n\r\nThese vulnerabilities were reported by the following persons to IPA, and JPCERT/CC coordinated coordinated with the developer under Information Security Early Warning Partnership.\r\nCVE-2020-5682\r\nNorihide Saito of Information Science College / Flatt Security inc.\r\nCVE-2020-5683\r\nDaisuke Takahashi of CyberAgent, Inc.",
"link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000085.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"@version": "2.0"
},
{
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2020-000085",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN94169589/index.html",
"@id": "JVN#94169589",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5682",
"@id": "CVE-2020-5682",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5683",
"@id": "CVE-2020-5683",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5682",
"@id": "CVE-2020-5682",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5683",
"@id": "CVE-2020-5683",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2022-001087
Vulnerability from jvndb
Published
2022-01-24 14:07
Modified
2022-01-24 14:07
Severity ?
Summary
GROWI vulnerable to authorization bypass through user-controlled key
Details
GROWI provided by WESEEK, Inc. contains an authorization bypass through user-controlled key vulnerability (CWE-639, CVE-2021-3852).
huntr first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as an intermediator. After the coordination between huntr and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/vu/JVNVU94151526/ | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2021-3852 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2021-3852 | |
| Related document | https://huntr.dev/bounties/d44def81-2834-4031-9037-e923975c3852/ | |
| Related document | https://vuldb.com/?id.190179 | |
| Authorization Bypass Through User-Controlled Key(CWE-639) | https://cwe.mitre.org/data/definitions/639.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001087.html",
"dc:date": "2022-01-24T14:07+09:00",
"dcterms:issued": "2022-01-24T14:07+09:00",
"dcterms:modified": "2022-01-24T14:07+09:00",
"description": "GROWI provided by WESEEK, Inc. contains an authorization bypass through user-controlled key vulnerability (CWE-639, CVE-2021-3852).\r\n\r\nhuntr first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as an intermediator. After the coordination between huntr and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001087.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-001087",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU94151526/",
"@id": "JVNVU#94151526",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2021-3852",
"@id": "CVE-2021-3852",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-3852",
"@id": "CVE-2021-3852",
"@source": "NVD"
},
{
"#text": "https://huntr.dev/bounties/d44def81-2834-4031-9037-e923975c3852/",
"@id": "Authorization Bypass Through User-Controlled Key in weseek/growi",
"@source": "Related document"
},
{
"#text": "https://vuldb.com/?id.190179",
"@id": "VDB-190179 (GROWI AUTHORIZATION)",
"@source": "Related document"
},
{
"#text": "https://cwe.mitre.org/data/definitions/639.html",
"@id": "CWE-639",
"@title": "Authorization Bypass Through User-Controlled Key(CWE-639)"
}
],
"title": "GROWI vulnerable to authorization bypass through user-controlled key"
}
jvndb-2020-000077
Vulnerability from jvndb
Published
2020-11-25 14:54
Modified
2020-11-25 14:54
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
* Information disclosure (CWE-200) - CVE-2020-5676
* Reflected cross-site scripting vulnerability due to a flaw in processing input URLs (CWE-79) - CVE-2020-5677
* Stored cross-site scripting vulnerability due to a flaw in processing POST requests (CWE-79) - CVE-2020-5678
Norihide Saito of information science college reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000077.html",
"dc:date": "2020-11-25T14:54+09:00",
"dcterms:issued": "2020-11-25T14:54+09:00",
"dcterms:modified": "2020-11-25T14:54+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n\r\n* Information disclosure (CWE-200) - CVE-2020-5676\r\n* Reflected cross-site scripting vulnerability due to a flaw in processing input URLs (CWE-79) - CVE-2020-5677\r\n* Stored cross-site scripting vulnerability due to a flaw in processing POST requests (CWE-79) - CVE-2020-5678\r\n\r\nNorihide Saito of information science college reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000077.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2020-000077",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN56450373/index.html",
"@id": "JVN#56450373",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5676",
"@id": "CVE-2020-5676",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5677",
"@id": "CVE-2020-5677",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5678",
"@id": "CVE-2020-5678",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5676",
"@id": "CVE-2020-5676",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5677",
"@id": "CVE-2020-5677",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5678",
"@id": "CVE-2020-5678",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-200",
"@title": "Information Exposure(CWE-200)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2022-001953
Vulnerability from jvndb
Published
2022-06-15 17:47
Modified
2022-06-15 17:47
Severity ?
Summary
Growi vulnerable to weak password requirements
Details
GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236).
418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001953.html",
"dc:date": "2022-06-15T17:47+09:00",
"dcterms:issued": "2022-06-15T17:47+09:00",
"dcterms:modified": "2022-06-15T17:47+09:00",
"description": "GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236).\r\n\r\n418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001953.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.5",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-001953",
"sec:references": [
{
"#text": "http://jvn.jp/en/vu/JVNVU96438711/index.html",
"@id": "JVNVU#96438711",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-1236",
"@id": "CVE-2022-1236",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-1236",
"@id": "CVE-2022-1236",
"@source": "NVD"
},
{
"#text": "https://huntr.dev/bounties/c7df088f-e355-45e6-9267-e41030dc6a32/?token=7f784544ffb530a9e6bef04557518633e763810d60f107095451c58b34645b81ad18529d3ea12f3b61ba547c99a0d87b2324e52da6efc4b01ec175416c479099bf5de3d16b8f07f0758556c278d058872597936f0e4fea7acb2bd2bc",
"@id": "Weak Password Requirements in weseek/growi",
"@source": "Related document"
},
{
"#text": "https://cwe.mitre.org/data/definitions/521.html",
"@id": "CWE-521",
"@title": "Weak Password Requirements(CWE-521)"
}
],
"title": "Growi vulnerable to weak password requirements"
}
jvndb-2018-000137
Vulnerability from jvndb
Published
2018-12-26 16:36
Modified
2019-08-27 15:07
Severity ?
Summary
GROWI vulnerable to cross-site scripting
Details
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).
The settings option for enabling and disabling the measures against cross-site scripting ("Enable XSS prevention" option) was introduced in v3.1.12. However, there was an issue with the implementation where the option looks enabled although the measures are disabled. This vulnerability was addressed in v3.2.4 according to the developer.
Takashi Yoneuchi of The University of Tokyo College of Arts and Sciences reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WESEEK, Inc. | GROWI |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000137.html",
"dc:date": "2019-08-27T15:07+09:00",
"dcterms:issued": "2018-12-26T16:36+09:00",
"dcterms:modified": "2019-08-27T15:07+09:00",
"description": "GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nThe settings option for enabling and disabling the measures against cross-site scripting (\"Enable XSS prevention\" option) was introduced in v3.1.12. However, there was an issue with the implementation where the option looks enabled although the measures are disabled. This vulnerability was addressed in v3.2.4 according to the developer.\r\n\r\nTakashi Yoneuchi of The University of Tokyo College of Arts and Sciences reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000137.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "5.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2018-000137",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN96493183/index.html",
"@id": "JVN#96493183",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0698",
"@id": "CVE-2018-0698",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16205",
"@id": "CVE-2018-16205",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0698",
"@id": "CVE-2018-0698",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-16205",
"@id": "CVE-2018-16205",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "GROWI vulnerable to cross-site scripting"
}