Vulnerabilites related to WESEEK, Inc. - GROWI
jvndb-2022-001087
Vulnerability from jvndb
Published
2022-01-24 14:07
Modified
2022-01-24 14:07
Severity ?
Summary
GROWI vulnerable to authorization bypass through user-controlled key
Details
GROWI provided by WESEEK, Inc. contains an authorization bypass through user-controlled key vulnerability (CWE-639, CVE-2021-3852).
huntr first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as an intermediator. After the coordination between huntr and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
References
| ► | Type | URL | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001087.html",
"dc:date": "2022-01-24T14:07+09:00",
"dcterms:issued": "2022-01-24T14:07+09:00",
"dcterms:modified": "2022-01-24T14:07+09:00",
"description": "GROWI provided by WESEEK, Inc. contains an authorization bypass through user-controlled key vulnerability (CWE-639, CVE-2021-3852).\r\n\r\nhuntr first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as an intermediator. After the coordination between huntr and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001087.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-001087",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU94151526/",
"@id": "JVNVU#94151526",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2021-3852",
"@id": "CVE-2021-3852",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-3852",
"@id": "CVE-2021-3852",
"@source": "NVD"
},
{
"#text": "https://huntr.dev/bounties/d44def81-2834-4031-9037-e923975c3852/",
"@id": "Authorization Bypass Through User-Controlled Key in weseek/growi",
"@source": "Related document"
},
{
"#text": "https://vuldb.com/?id.190179",
"@id": "VDB-190179 (GROWI AUTHORIZATION)",
"@source": "Related document"
},
{
"#text": "https://cwe.mitre.org/data/definitions/639.html",
"@id": "CWE-639",
"@title": "Authorization Bypass Through User-Controlled Key(CWE-639)"
}
],
"title": "GROWI vulnerable to authorization bypass through user-controlled key"
}
jvndb-2021-000050
Vulnerability from jvndb
Published
2021-06-14 15:10
Modified
2021-06-14 15:10
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
*NoSQL injection (CWE-943) - CVE-2021-20736
*Improper authentication (CWE-287) - CVE-2021-20737
References
| ► | Type | URL |
|---|---|---|
|
|
||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000050.html",
"dc:date": "2021-06-14T15:10+09:00",
"dcterms:issued": "2021-06-14T15:10+09:00",
"dcterms:modified": "2021-06-14T15:10+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n*NoSQL injection (CWE-943) - CVE-2021-20736\r\n*Improper authentication (CWE-287) - CVE-2021-20737",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000050.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000050",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN95457785/",
"@id": "JVN#95457785",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20736",
"@id": "CVE-2021-20736",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20737",
"@id": "CVE-2021-20737",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20736",
"@id": "CVE-2021-20736",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20737",
"@id": "CVE-2021-20737",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-287",
"@title": "Improper Authentication(CWE-287)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2021-001123
Vulnerability from jvndb
Published
2021-03-09 14:17
Modified
2021-09-24 13:34
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
Stored Cross-site Scripting (CWE-79) - CVE-2021-20667
Path Traversal (CWE-22) - CVE-2021-20668
Path Traversal (CWE-22) - CVE-2021-20669
Improper Access Control (CWE-284) - CVE-2021-20670
Improper Input Validation (CWE-20) - CVE-2021-20671
Site Scripting (CWE-79) - CVE-2021-20829
stypr of Flatt Security Inc. reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.
References
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-001123.html",
"dc:date": "2021-09-24T13:34+09:00",
"dcterms:issued": "2021-03-09T14:17+09:00",
"dcterms:modified": "2021-09-24T13:34+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n\r\n Stored Cross-site Scripting (CWE-79) - CVE-2021-20667\r\n Path Traversal (CWE-22) - CVE-2021-20668\r\n Path Traversal (CWE-22) - CVE-2021-20669\r\n Improper Access Control (CWE-284) - CVE-2021-20670\r\n Improper Input Validation (CWE-20) - CVE-2021-20671\r\n Site Scripting (CWE-79) - CVE-2021-20829\r\n\r\nstypr of Flatt Security Inc. reported these vulnerabilities to the developer and coordinated on his own.\r\nAfter coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-001123.html",
"sec:cpe": [
{
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "3.7",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2021-001123",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU94889258/",
"@id": "JVNVU#94889258",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20667",
"@id": "CVE-2021-20667",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20668",
"@id": "CVE-2021-20668",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20669",
"@id": "CVE-2021-20669",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20670",
"@id": "CVE-2021-20670",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20671",
"@id": "CVE-2021-20671",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20829",
"@id": "CVE-2021-20829",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20667",
"@id": "CVE-2021-20667",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20668",
"@id": "CVE-2021-20668",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20669",
"@id": "CVE-2021-20669",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20670",
"@id": "CVE-2021-20670",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20671",
"@id": "CVE-2021-20671",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20829",
"@id": "CVE-2021-20829",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/284.html",
"@id": "CWE-284",
"@title": "Improper Access Control(CWE-284)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2023-000123
Vulnerability from jvndb
Published
2023-12-13 15:30
Modified
2024-03-19 17:46
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
<ul><li>Stored cross-site scripting vulnerability in the presentation feature (CWE-79) - CVE-2023-42436</li><li>Stored cross-site scripting vulnerability in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page (CWE-79) - CVE-2023-45737</li><li>Stored cross-site scripting vulnerability when processing profile images (CWE-79) - CVE-2023-45740</li><li>Cross-site request forgery vulnerability in the User settings (/me) page (CWE-352) - CVE-2023-46699</li><li>Stored cross-site scripting vulnerability exploiting a behavior of the XSS Filter (CWE-79) - CVE-2023-47215</li><li>Stored cross-site scripting vulnerability via the img tags (CWE-79) - CVE-2023-49119</li><li>Stored cross-site scripting vulnerability in the event handlers of the pre tags (CWE-79) - CVE-2023-49598</li><li>Stored cross-site scripting vulnerability in the anchor tag (CWE-79) - CVE-2023-49779</li><li>Stored cross-site scripting vulnerability when processing the MathJax (CWE-79) - CVE-2023-49807</li><li>Stored cross-site scripting vulnerability in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page (CWE-79) - CVE-2023-50175</li><li>Cleartext storage of sensitive information vulnerability in the App Settings (/admin/app) page's Secret access key (CWE-312) - CVE-2023-50294</li><li>Improper authorization in the User Management (/admin/users) page (CWE-285) - CVE-2023-50332</li><li>Stored cross-site scripting vulnerability in the User Management (/admin/users) page (CWE-79) - CVE-2023-50339</li></ul>
CVE-2023-42436
Kakeru Kajihara of NTT-ME System Operation Center reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-45737
Naoki Takayama of University of Tsukuba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-45740
Kanta Nishitani of GMO Cybersecurity by Ierae Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-46699
Norihide Saito reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-47215, CVE-2023-49779
Naoya Miyaguchi of Kanmu, Inc reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-49119
Naoki Takayama of University of Tsukuba, Suguru Itagaki of NTT-ME System Operation Center, and Norihide Saito of Flatt Security inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-49598
Naoya Miyaguchi of Kanmu, Inc, SHO ODAGIRI of GMO Cybersecurity by Ierae Inc., Tsubasa Fujii (@reinforchu), Eiji Mori of Flatt Security Inc., Shiga Takuma of BroadBand Security Inc., and Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-49807
Naoya Miyaguchi of Kanmu, Inc and Naoki Takayama of University of Tsukuba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-50175
Norihide Saito of Flatt Security inc., Naoya Miyaguchi of Kanmu, Inc, and Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-50294, CVE-2023-50332, CVE-2023-50339
Norihide Saito of Flatt Security inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000123.html",
"dc:date": "2024-03-19T17:46+09:00",
"dcterms:issued": "2023-12-13T15:30+09:00",
"dcterms:modified": "2024-03-19T17:46+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eStored cross-site scripting vulnerability in the presentation feature (CWE-79) - CVE-2023-42436\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page (CWE-79) - CVE-2023-45737\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability when processing profile images (CWE-79) - CVE-2023-45740\u003c/li\u003e\u003cli\u003eCross-site request forgery vulnerability in the User settings (/me) page (CWE-352) - CVE-2023-46699\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability exploiting a behavior of the XSS Filter (CWE-79) - CVE-2023-47215\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability via the img tags (CWE-79) - CVE-2023-49119\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the event handlers of the pre tags (CWE-79) - CVE-2023-49598\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the anchor tag (CWE-79) - CVE-2023-49779\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability when processing the MathJax (CWE-79) - CVE-2023-49807\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page (CWE-79) - CVE-2023-50175\u003c/li\u003e\u003cli\u003eCleartext storage of sensitive information vulnerability in the App Settings (/admin/app) page\u0027s Secret access key (CWE-312) - CVE-2023-50294\u003c/li\u003e\u003cli\u003eImproper authorization in the User Management (/admin/users) page (CWE-285) - CVE-2023-50332\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the User Management (/admin/users) page (CWE-79) - CVE-2023-50339\u003c/li\u003e\u003c/ul\u003e\r\nCVE-2023-42436\r\nKakeru Kajihara of NTT-ME System Operation Center reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-45737\r\nNaoki Takayama of University of Tsukuba reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-45740\r\nKanta Nishitani of GMO Cybersecurity by Ierae Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-46699\r\nNorihide Saito reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-47215, CVE-2023-49779\r\nNaoya Miyaguchi of Kanmu, Inc reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49119\r\nNaoki Takayama of University of Tsukuba, Suguru Itagaki of NTT-ME System Operation Center, and Norihide Saito of Flatt Security inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49598\r\nNaoya Miyaguchi of Kanmu, Inc, SHO ODAGIRI of GMO Cybersecurity by Ierae Inc., Tsubasa Fujii (@reinforchu), Eiji Mori of Flatt Security Inc., Shiga Takuma of BroadBand Security Inc., and Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49807\r\nNaoya Miyaguchi of Kanmu, Inc and Naoki Takayama of University of Tsukuba reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-50175\r\nNorihide Saito of Flatt Security inc., Naoya Miyaguchi of Kanmu, Inc, and Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-50294, CVE-2023-50332, CVE-2023-50339\r\nNorihide Saito of Flatt Security inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000123.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000123",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN18715935/index.html",
"@id": "JVN#18715935",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-42436",
"@id": "CVE-2023-42436",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-45737",
"@id": "CVE-2023-45737",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-45740",
"@id": "CVE-2023-45740",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-46699",
"@id": "CVE-2023-46699",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-47215",
"@id": "CVE-2023-47215",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49119",
"@id": "CVE-2023-49119",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49598",
"@id": "CVE-2023-49598",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49779",
"@id": "CVE-2023-49779",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49807",
"@id": "CVE-2023-49807",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50175",
"@id": "CVE-2023-50175",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50294",
"@id": "CVE-2023-50294",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50332",
"@id": "CVE-2023-50332",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50339",
"@id": "CVE-2023-50339",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-42436",
"@id": "CVE-2023-42436",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45737",
"@id": "CVE-2023-45737",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45740",
"@id": "CVE-2023-45740",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-46699",
"@id": "CVE-2023-46699",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-47215",
"@id": "CVE-2023-47215",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49119",
"@id": "CVE-2023-49119",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49598",
"@id": "CVE-2023-49598",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49779",
"@id": "CVE-2023-49779",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49807",
"@id": "CVE-2023-49807",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50175",
"@id": "CVE-2023-50175",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50294",
"@id": "CVE-2023-50294",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50332",
"@id": "CVE-2023-50332",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50339",
"@id": "CVE-2023-50339",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-352",
"@title": "Cross-Site Request Forgery(CWE-352)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2022-001953
Vulnerability from jvndb
Published
2022-06-15 17:47
Modified
2022-06-15 17:47
Severity ?
Summary
Growi vulnerable to weak password requirements
Details
GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236).
418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
References
| ► | Type | URL | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001953.html",
"dc:date": "2022-06-15T17:47+09:00",
"dcterms:issued": "2022-06-15T17:47+09:00",
"dcterms:modified": "2022-06-15T17:47+09:00",
"description": "GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236).\r\n\r\n418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001953.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.5",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-001953",
"sec:references": [
{
"#text": "http://jvn.jp/en/vu/JVNVU96438711/index.html",
"@id": "JVNVU#96438711",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-1236",
"@id": "CVE-2022-1236",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-1236",
"@id": "CVE-2022-1236",
"@source": "NVD"
},
{
"#text": "https://huntr.dev/bounties/c7df088f-e355-45e6-9267-e41030dc6a32/?token=7f784544ffb530a9e6bef04557518633e763810d60f107095451c58b34645b81ad18529d3ea12f3b61ba547c99a0d87b2324e52da6efc4b01ec175416c479099bf5de3d16b8f07f0758556c278d058872597936f0e4fea7acb2bd2bc",
"@id": "Weak Password Requirements in weseek/growi",
"@source": "Related document"
},
{
"#text": "https://cwe.mitre.org/data/definitions/521.html",
"@id": "CWE-521",
"@title": "Weak Password Requirements(CWE-521)"
}
],
"title": "Growi vulnerable to weak password requirements"
}
jvndb-2021-000005
Vulnerability from jvndb
Published
2021-01-19 14:05
Modified
2021-01-19 14:05
Severity ?
Summary
GROWI vulnerable to cross-site scripting
Details
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL |
|---|---|---|
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000005.html",
"dc:date": "2021-01-19T14:05+09:00",
"dcterms:issued": "2021-01-19T14:05+09:00",
"dcterms:modified": "2021-01-19T14:05+09:00",
"description": "GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000005.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000005",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN57544707/index.html",
"@id": "JVN#57544707",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20619",
"@id": "CVE-2021-20619",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20619",
"@id": "CVE-2021-20619",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "GROWI vulnerable to cross-site scripting"
}
jvndb-2018-000085
Vulnerability from jvndb
Published
2018-08-03 15:04
Modified
2019-07-05 17:13
Severity ?
Summary
Multiple cross-site scripting vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.
* Stored cross-site scripting vulnerability in the UserGroup Management section of admin page (CWE-79) - CVE-2018-0652
* Stored cross-site scripting vulnerability in Wiki page view (CWE-79) - CVE-2018-0653
* Reflected cross-site scripting vulnerability in the modal for creating Wiki page (CWE-79) - CVE-2018-0654
* Stored cross-site scripting in the app settings section of admin page (CWE-79) - CVE-2018-0655
The following researchers reported the vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2018-0652, CVE-2018-0653
Yoshinori Hayashi of Information Science College
CVE-2018-0654, CVE-2018-0655
Kanta Nishitani of Information Science College
References
| ► | Type | URL | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000085.html",
"dc:date": "2019-07-05T17:13+09:00",
"dcterms:issued": "2018-08-03T15:04+09:00",
"dcterms:modified": "2019-07-05T17:13+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below. \r\n* Stored cross-site scripting vulnerability in the UserGroup Management section of admin page (CWE-79) - CVE-2018-0652 \r\n* Stored cross-site scripting vulnerability in Wiki page view (CWE-79) - CVE-2018-0653 \r\n* Reflected cross-site scripting vulnerability in the modal for creating Wiki page (CWE-79) - CVE-2018-0654 \r\n* Stored cross-site scripting in the app settings section of admin page (CWE-79) - CVE-2018-0655\r\n\r\nThe following researchers reported the vulnerabilities to IPA.\r\n JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\n CVE-2018-0652, CVE-2018-0653\r\n Yoshinori Hayashi of Information Science College\r\n\r\n CVE-2018-0654, CVE-2018-0655\r\n Kanta Nishitani of Information Science College",
"link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000085.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2018-000085",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN18716340/index.html",
"@id": "JVN#18716340",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0652",
"@id": "CVE-2018-0652",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0653",
"@id": "CVE-2018-0653",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0654",
"@id": "CVE-2018-0654",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0655",
"@id": "CVE-2018-0655",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0652",
"@id": "CVE-2018-0652",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0653",
"@id": "CVE-2018-0653",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0654",
"@id": "CVE-2018-0654",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0655",
"@id": "CVE-2018-0655",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple cross-site scripting vulnerabilities in GROWI"
}
jvndb-2018-000137
Vulnerability from jvndb
Published
2018-12-26 16:36
Modified
2019-08-27 15:07
Severity ?
Summary
GROWI vulnerable to cross-site scripting
Details
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).
The settings option for enabling and disabling the measures against cross-site scripting ("Enable XSS prevention" option) was introduced in v3.1.12. However, there was an issue with the implementation where the option looks enabled although the measures are disabled. This vulnerability was addressed in v3.2.4 according to the developer.
Takashi Yoneuchi of The University of Tokyo College of Arts and Sciences reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000137.html",
"dc:date": "2019-08-27T15:07+09:00",
"dcterms:issued": "2018-12-26T16:36+09:00",
"dcterms:modified": "2019-08-27T15:07+09:00",
"description": "GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nThe settings option for enabling and disabling the measures against cross-site scripting (\"Enable XSS prevention\" option) was introduced in v3.1.12. However, there was an issue with the implementation where the option looks enabled although the measures are disabled. This vulnerability was addressed in v3.2.4 according to the developer.\r\n\r\nTakashi Yoneuchi of The University of Tokyo College of Arts and Sciences reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000137.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "5.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2018-000137",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN96493183/index.html",
"@id": "JVN#96493183",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0698",
"@id": "CVE-2018-0698",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16205",
"@id": "CVE-2018-16205",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0698",
"@id": "CVE-2018-0698",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-16205",
"@id": "CVE-2018-16205",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "GROWI vulnerable to cross-site scripting"
}
jvndb-2019-000033
Vulnerability from jvndb
Published
2019-06-07 15:18
Modified
2019-10-01 10:46
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
* Cross-site request forgery vulnerability in the process of updating user's "Basic Info" (CWE-352) - CVE-2019-5968
* Open redirect vulnerability in the process of login (CWE-601) - CVE-2019-5969
Security Group of DeCurret Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000033.html",
"dc:date": "2019-10-01T10:46+09:00",
"dcterms:issued": "2019-06-07T15:18+09:00",
"dcterms:modified": "2019-10-01T10:46+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. \r\n* Cross-site request forgery vulnerability in the process of updating user\u0027s \"Basic Info\" (CWE-352) - CVE-2019-5968\r\n* Open redirect vulnerability in the process of login (CWE-601) - CVE-2019-5969\r\n\r\nSecurity Group of DeCurret Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000033.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2019-000033",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN84876282/index.html",
"@id": "JVN#84876282",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5968",
"@id": "CVE-2019-5968",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5969",
"@id": "CVE-2019-5969",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-5968",
"@id": "CVE-2019-5968",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-5969",
"@id": "CVE-2019-5969",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-352",
"@title": "Cross-Site Request Forgery(CWE-352)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2020-000085
Vulnerability from jvndb
Published
2020-12-15 15:41
Modified
2021-08-30 16:29
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
* Denial-of-service (DoS) due to improper verification of input values (CWE-400) - CVE-2020-5682
* Directory traversal due to improper verification of uploaded files (CWE-22) - CVE-2020-5683
These vulnerabilities were reported by the following persons to IPA, and JPCERT/CC coordinated coordinated with the developer under Information Security Early Warning Partnership.
CVE-2020-5682
Norihide Saito of Information Science College / Flatt Security inc.
CVE-2020-5683
Daisuke Takahashi of CyberAgent, Inc.
References
| ► | Type | URL | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000085.html",
"dc:date": "2021-08-30T16:29+09:00",
"dcterms:issued": "2020-12-15T15:41+09:00",
"dcterms:modified": "2021-08-30T16:29+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n* Denial-of-service (DoS) due to improper verification of input values (CWE-400) - CVE-2020-5682\r\n* Directory traversal due to improper verification of uploaded files (CWE-22) - CVE-2020-5683\r\n\r\nThese vulnerabilities were reported by the following persons to IPA, and JPCERT/CC coordinated coordinated with the developer under Information Security Early Warning Partnership.\r\nCVE-2020-5682\r\nNorihide Saito of Information Science College / Flatt Security inc.\r\nCVE-2020-5683\r\nDaisuke Takahashi of CyberAgent, Inc.",
"link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000085.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"@version": "2.0"
},
{
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2020-000085",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN94169589/index.html",
"@id": "JVN#94169589",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5682",
"@id": "CVE-2020-5682",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5683",
"@id": "CVE-2020-5683",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5682",
"@id": "CVE-2020-5682",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5683",
"@id": "CVE-2020-5683",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2021-000019
Vulnerability from jvndb
Published
2021-03-10 16:11
Modified
2021-03-10 16:11
Severity ?
Summary
Multiple cross-site scripting vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.
*Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters (CWE-79) - CVE-2021-20672
*Stored cross-site scripting vulnerability in Admin Page (CWE-79) - CVE-2021-20673
Naoya Miyaguchi of 3-shake Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000019.html",
"dc:date": "2021-03-10T16:11+09:00",
"dcterms:issued": "2021-03-10T16:11+09:00",
"dcterms:modified": "2021-03-10T16:11+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.\r\n*Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters (CWE-79) - CVE-2021-20672\r\n*Stored cross-site scripting vulnerability in Admin Page (CWE-79) - CVE-2021-20673\r\n\r\nNaoya Miyaguchi of 3-shake Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000019.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "3.5",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000019",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN86438134/index.html",
"@id": "JVN#86438134",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20672",
"@id": "CVE-2021-20672",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20673",
"@id": "CVE-2021-20673",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20672",
"@id": "CVE-2021-20672",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20673",
"@id": "CVE-2021-20673",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple cross-site scripting vulnerabilities in GROWI"
}
jvndb-2020-000077
Vulnerability from jvndb
Published
2020-11-25 14:54
Modified
2020-11-25 14:54
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
* Information disclosure (CWE-200) - CVE-2020-5676
* Reflected cross-site scripting vulnerability due to a flaw in processing input URLs (CWE-79) - CVE-2020-5677
* Stored cross-site scripting vulnerability due to a flaw in processing POST requests (CWE-79) - CVE-2020-5678
Norihide Saito of information science college reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000077.html",
"dc:date": "2020-11-25T14:54+09:00",
"dcterms:issued": "2020-11-25T14:54+09:00",
"dcterms:modified": "2020-11-25T14:54+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n\r\n* Information disclosure (CWE-200) - CVE-2020-5676\r\n* Reflected cross-site scripting vulnerability due to a flaw in processing input URLs (CWE-79) - CVE-2020-5677\r\n* Stored cross-site scripting vulnerability due to a flaw in processing POST requests (CWE-79) - CVE-2020-5678\r\n\r\nNorihide Saito of information science college reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000077.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2020-000077",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN56450373/index.html",
"@id": "JVN#56450373",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5676",
"@id": "CVE-2020-5676",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5677",
"@id": "CVE-2020-5677",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5678",
"@id": "CVE-2020-5678",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5676",
"@id": "CVE-2020-5676",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5677",
"@id": "CVE-2020-5677",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5678",
"@id": "CVE-2020-5678",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-200",
"@title": "Information Exposure(CWE-200)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2022-000076
Vulnerability from jvndb
Published
2022-10-07 14:30
Modified
2024-06-12 12:04
Severity ?
Summary
Growi vulnerable to improper access control
Details
GROWI provided by WESEEK, Inc. contains an improper access control vulnerability (CWE-284).
Kenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000076.html",
"dc:date": "2024-06-12T12:04+09:00",
"dcterms:issued": "2022-10-07T14:30+09:00",
"dcterms:modified": "2024-06-12T12:04+09:00",
"description": "GROWI provided by WESEEK, Inc. contains an improper access control vulnerability (CWE-284).\r\n\r\nKenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000076.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-000076",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN00845253/index.html",
"@id": "JVN#00845253",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-41799",
"@id": "CVE-2022-41799",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-41799",
"@id": "CVE-2022-41799",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
}
],
"title": "Growi vulnerable to improper access control"
}
CVE-2023-45737 (GCVE-0-2023-45737)
Vulnerability from cvelistv5
Published
2023-12-26 07:20
Modified
2024-08-02 20:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting (XSS)
Summary
Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: prior to v3.5.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v3.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:36.390Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-45737",
"datePublished": "2023-12-26T07:20:36.390Z",
"dateReserved": "2023-12-07T02:39:48.512Z",
"dateUpdated": "2024-08-02T20:29:32.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20670 (GCVE-0-2021-20670)
Vulnerability from cvelistv5
Published
2021-03-10 09:20
Modified
2024-08-03 17:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Access Control
Summary
Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's personal information and/or server's internal information via unspecified vectors.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: versions v4.2.2 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:45:45.348Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions v4.2.2 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user\u0027s personal information and/or server\u0027s internal information via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-10T09:20:33",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20670",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions v4.2.2 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user\u0027s personal information and/or server\u0027s internal information via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"name": "https://jvn.jp/en/vu/JVNVU94889258/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20670",
"datePublished": "2021-03-10T09:20:33",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:45:45.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-0655 (GCVE-0-2018-0655)
Vulnerability from cvelistv5
Published
2018-09-07 14:00
Modified
2024-08-05 03:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: v.3.1.11 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:48.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v.3.1.11 and earlier"
}
]
}
],
"datePublic": "2018-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-07T13:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0655",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v.3.1.11 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/",
"refsource": "CONFIRM",
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0655",
"datePublished": "2018-09-07T14:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:48.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5969 (GCVE-0-2019-5969)
Vulnerability from cvelistv5
Published
2019-07-05 13:20
Modified
2024-08-04 20:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Open Redirect
Summary
Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct phishing attacks via the process of login.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: v3.4.6 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:09:23.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN84876282/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v3.4.6 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct phishing attacks via the process of login."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-05T13:20:17",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN84876282/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2019-5969",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v3.4.6 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct phishing attacks via the process of login."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Open Redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/"
},
{
"name": "https://jvn.jp/en/jp/JVN84876282/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN84876282/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2019-5969",
"datePublished": "2019-07-05T13:20:17",
"dateReserved": "2019-01-10T00:00:00",
"dateUpdated": "2024-08-04T20:09:23.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5683 (GCVE-0-2020-5683)
Vulnerability from cvelistv5
Published
2020-12-16 07:45
Modified
2024-08-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Directory traversal
Summary
Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attackers to alter the data by uploading a specially crafted file.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.766Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN94169589/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attackers to alter the data by uploading a specially crafted file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-16T07:45:19",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN94169589/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5683",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attackers to alter the data by uploading a specially crafted file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Directory traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/weseek/growi",
"refsource": "MISC",
"url": "https://github.com/weseek/growi"
},
{
"name": "https://hub.docker.com/r/weseek/growi/",
"refsource": "MISC",
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"name": "https://jvn.jp/en/jp/JVN94169589/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN94169589/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5683",
"datePublished": "2020-12-16T07:45:19",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:39:25.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50332 (GCVE-0-2023-50332)
Vulnerability from cvelistv5
Published
2023-12-26 07:21
Modified
2024-08-02 22:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper authorization
Summary
Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. If this vulnerability is exploited, a user may delete or suspend its own account without the user's intention.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: prior to v6.0.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. If this vulnerability is exploited, a user may delete or suspend its own account without the user\u0027s intention.\r\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:24.393Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50332",
"datePublished": "2023-12-26T07:21:24.393Z",
"dateReserved": "2023-12-07T02:39:51.268Z",
"dateUpdated": "2024-08-02T22:16:46.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46699 (GCVE-0-2023-46699)
Vulnerability from cvelistv5
Published
2023-12-26 07:20
Modified
2024-09-12 12:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site request forgery (CSRF)
Summary
Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0. If a user views a malicious page while logging in, settings may be changed without the user's intention.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: prior to v6.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-04T18:22:27.439104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T12:36:17.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0. If a user views a malicious page while logging in, settings may be changed without the user\u0027s intention."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:48.092Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-46699",
"datePublished": "2023-12-26T07:20:48.092Z",
"dateReserved": "2023-12-07T02:39:49.423Z",
"dateUpdated": "2024-09-12T12:36:17.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5968 (GCVE-0-2019-5968)
Vulnerability from cvelistv5
Published
2019-07-05 13:20
Modified
2024-08-04 20:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site request forgery
Summary
Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user's 'Basic Info'.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: v3.4.6 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:09:23.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN84876282/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v3.4.6 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user\u0027s \u0027Basic Info\u0027."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-05T13:20:17",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN84876282/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2019-5968",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v3.4.6 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user\u0027s \u0027Basic Info\u0027."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2019/06/04/growi-fix-jvn84876282/"
},
{
"name": "https://jvn.jp/en/jp/JVN84876282/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN84876282/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2019-5968",
"datePublished": "2019-07-05T13:20:17",
"dateReserved": "2019-01-10T00:00:00",
"dateUpdated": "2024-08-04T20:09:23.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47215 (GCVE-0-2023-47215)
Vulnerability from cvelistv5
Published
2023-12-26 07:20
Modified
2024-08-02 21:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting (XSS)
Summary
Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: prior to v6.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:53.804Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-47215",
"datePublished": "2023-12-26T07:20:53.804Z",
"dateReserved": "2023-12-07T02:39:47.663Z",
"dateUpdated": "2024-08-02T21:01:22.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49807 (GCVE-0-2023-49807)
Vulnerability from cvelistv5
Published
2023-12-26 07:21
Modified
2024-08-02 22:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting (XSS)
Summary
Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: prior to v6.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.024Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:11.658Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49807",
"datePublished": "2023-12-26T07:21:11.658Z",
"dateReserved": "2023-12-07T02:39:44.808Z",
"dateUpdated": "2024-08-02T22:01:26.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5682 (GCVE-0-2020-5682)
Vulnerability from cvelistv5
Published
2020-12-16 07:45
Modified
2024-08-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Input Validation
Summary
Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attackers to cause a denial of service via unspecified vectors.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN94169589/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attackers to cause a denial of service via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-16T07:45:18",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN94169589/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5682",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attackers to cause a denial of service via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/weseek/growi",
"refsource": "MISC",
"url": "https://github.com/weseek/growi"
},
{
"name": "https://hub.docker.com/r/weseek/growi/",
"refsource": "MISC",
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"name": "https://jvn.jp/en/jp/JVN94169589/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN94169589/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5682",
"datePublished": "2020-12-16T07:45:18",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:39:25.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5678 (GCVE-0-2020-5678)
Vulnerability from cvelistv5
Published
2020-12-03 11:15
Modified
2024-08-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Stored cross-site scripting vulnerability in GROWI v3.8.1 and earlier allows remote attackers to inject arbitrary script via unspecified vectors.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: v3.8.1 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.526Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v3.8.1 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability in GROWI v3.8.1 and earlier allows remote attackers to inject arbitrary script via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-03T11:15:32",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5678",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v3.8.1 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stored cross-site scripting vulnerability in GROWI v3.8.1 and earlier allows remote attackers to inject arbitrary script via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/weseek/growi",
"refsource": "MISC",
"url": "https://github.com/weseek/growi"
},
{
"name": "https://hub.docker.com/r/weseek/growi/",
"refsource": "MISC",
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"name": "https://jvn.jp/en/jp/JVN56450373/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5678",
"datePublished": "2020-12-03T11:15:32",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:39:25.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20671 (GCVE-0-2021-20671)
Vulnerability from cvelistv5
Published
2021-03-10 09:20
Modified
2024-08-03 17:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Input Validation
Summary
Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: versions v4.2.2 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:45:45.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions v4.2.2 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-10T09:20:34",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20671",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions v4.2.2 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"name": "https://jvn.jp/en/vu/JVNVU94889258/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20671",
"datePublished": "2021-03-10T09:20:34",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:45:45.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49779 (GCVE-0-2023-49779)
Vulnerability from cvelistv5
Published
2023-12-26 07:21
Modified
2024-08-02 22:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting (XSS)
Summary
Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: prior to v6.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.681Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:06.972Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49779",
"datePublished": "2023-12-26T07:21:06.972Z",
"dateReserved": "2023-12-07T02:39:53.189Z",
"dateUpdated": "2024-08-02T22:01:25.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5676 (GCVE-0-2020-5676)
Vulnerability from cvelistv5
Published
2020-12-03 11:15
Modified
2024-08-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vectors.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: v4.1.3 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.482Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v4.1.3 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-03T11:15:31",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5676",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v4.1.3 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/weseek/growi",
"refsource": "MISC",
"url": "https://github.com/weseek/growi"
},
{
"name": "https://hub.docker.com/r/weseek/growi/",
"refsource": "MISC",
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"name": "https://jvn.jp/en/jp/JVN56450373/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5676",
"datePublished": "2020-12-03T11:15:31",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:39:25.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50175 (GCVE-0-2023-50175)
Vulnerability from cvelistv5
Published
2023-12-26 07:21
Modified
2025-04-23 15:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting (XSS)
Summary
Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: prior to v6.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-50175",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-02T17:53:10.816140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T15:59:54.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:15.728Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50175",
"datePublished": "2023-12-26T07:21:15.728Z",
"dateReserved": "2023-12-07T02:39:52.053Z",
"dateUpdated": "2025-04-23T15:59:54.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-0652 (GCVE-0-2018-0652)
Vulnerability from cvelistv5
Published
2018-09-07 14:00
Modified
2024-08-05 03:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: v.3.1.11 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:48.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v.3.1.11 and earlier"
}
]
}
],
"datePublic": "2018-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-07T13:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0652",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v.3.1.11 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/",
"refsource": "CONFIRM",
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0652",
"datePublished": "2018-09-07T14:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:48.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5677 (GCVE-0-2020-5677)
Vulnerability from cvelistv5
Published
2020-12-03 11:15
Modified
2024-08-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Reflected cross-site scripting vulnerability in GROWI v4.0.0 and earlier allows remote attackers to inject arbitrary script via unspecified vectors.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: v4.0.0 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v4.0.0 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Reflected cross-site scripting vulnerability in GROWI v4.0.0 and earlier allows remote attackers to inject arbitrary script via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-03T11:15:31",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/weseek/growi"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5677",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v4.0.0 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Reflected cross-site scripting vulnerability in GROWI v4.0.0 and earlier allows remote attackers to inject arbitrary script via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/weseek/growi",
"refsource": "MISC",
"url": "https://github.com/weseek/growi"
},
{
"name": "https://hub.docker.com/r/weseek/growi/",
"refsource": "MISC",
"url": "https://hub.docker.com/r/weseek/growi/"
},
{
"name": "https://jvn.jp/en/jp/JVN56450373/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN56450373/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5677",
"datePublished": "2020-12-03T11:15:32",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:39:25.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-0698 (GCVE-0-2018-0698)
Vulnerability from cvelistv5
Published
2019-01-09 22:00
Modified
2024-08-05 03:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: v3.2.3 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:49.060Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#96493183",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN96493183/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v3.2.3 and earlier"
}
]
}
],
"datePublic": "2019-01-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T21:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#96493183",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "https://jvn.jp/en/jp/JVN96493183/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0698",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v3.2.3 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#96493183",
"refsource": "JVN",
"url": "https://jvn.jp/en/jp/JVN96493183/index.html"
},
{
"name": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0698",
"datePublished": "2019-01-09T22:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:49.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20667 (GCVE-0-2021-20667)
Vulnerability from cvelistv5
Published
2021-03-10 09:20
Modified
2024-08-03 17:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: versions v4.2.2 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:45:45.356Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions v4.2.2 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-10T09:20:30",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20667",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions v4.2.2 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"name": "https://jvn.jp/en/vu/JVNVU94889258/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20667",
"datePublished": "2021-03-10T09:20:31",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:45:45.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20736 (GCVE-0-2021-20736)
Vulnerability from cvelistv5
Published
2021-06-22 01:35
Modified
2024-08-03 17:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- NoSQL injection
Summary
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: versions prior to v4.2.20 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:21.832Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN95457785/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions prior to v4.2.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "NoSQL injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-22T01:35:50",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN95457785/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20736",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions prior to v4.2.20"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "NoSQL injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/"
},
{
"name": "https://jvn.jp/en/jp/JVN95457785/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN95457785/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20736",
"datePublished": "2021-06-22T01:35:50",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:21.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50294 (GCVE-0-2023-50294)
Vulnerability from cvelistv5
Published
2023-12-26 07:21
Modified
2024-08-02 22:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cleartext storage of sensitive information
Summary
The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: prior to v6.0.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.259Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cleartext storage of sensitive information",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:19.831Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50294",
"datePublished": "2023-12-26T07:21:19.831Z",
"dateReserved": "2023-12-07T02:39:43.973Z",
"dateUpdated": "2024-08-02T22:16:46.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16205 (GCVE-0-2018-16205)
Vulnerability from cvelistv5
Published
2019-01-09 22:00
Modified
2024-08-05 10:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page modal.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: v3.2.3 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:17:38.294Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#96493183",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN96493183/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v3.2.3 and earlier"
}
]
}
],
"datePublic": "2019-01-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page modal."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T21:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#96493183",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "https://jvn.jp/en/jp/JVN96493183/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-16205",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v3.2.3 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page modal."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#96493183",
"refsource": "JVN",
"url": "https://jvn.jp/en/jp/JVN96493183/index.html"
},
{
"name": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-16205",
"datePublished": "2019-01-09T22:00:00",
"dateReserved": "2018-08-30T00:00:00",
"dateUpdated": "2024-08-05T10:17:38.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-0653 (GCVE-0-2018-0653)
Vulnerability from cvelistv5
Published
2018-09-07 14:00
Modified
2024-08-05 03:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: v.3.1.11 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:48.690Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v.3.1.11 and earlier"
}
]
}
],
"datePublic": "2018-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-07T13:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0653",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v.3.1.11 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/",
"refsource": "CONFIRM",
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0653",
"datePublished": "2018-09-07T14:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:48.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50339 (GCVE-0-2023-50339)
Vulnerability from cvelistv5
Published
2023-12-26 07:20
Modified
2024-09-09 18:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting (XSS)
Summary
Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: v6.1.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-27T18:02:51.280364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T18:00:25.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v6.1.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:31.556Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-50339",
"datePublished": "2023-12-26T07:20:31.556Z",
"dateReserved": "2023-12-07T02:39:54.055Z",
"dateUpdated": "2024-09-09T18:00:25.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45740 (GCVE-0-2023-45740)
Vulnerability from cvelistv5
Published
2023-12-26 07:20
Modified
2025-04-23 16:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting (XSS)
Summary
Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: prior to v4.1.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-45740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-02T17:52:27.722596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:03:49.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:42.853Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-45740",
"datePublished": "2023-12-26T07:20:42.853Z",
"dateReserved": "2023-12-07T02:39:50.226Z",
"dateUpdated": "2025-04-23T16:03:49.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20737 (GCVE-0-2021-20737)
Vulnerability from cvelistv5
Published
2021-06-22 01:35
Modified
2024-08-03 17:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper authentication
Summary
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: versions prior to v4.2.20 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:21.843Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN95457785/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions prior to v4.2.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-22T01:35:51",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN95457785/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20737",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions prior to v4.2.20"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/"
},
{
"name": "https://jvn.jp/en/jp/JVN95457785/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN95457785/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20737",
"datePublished": "2021-06-22T01:35:51",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:21.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42436 (GCVE-0-2023-42436)
Vulnerability from cvelistv5
Published
2023-12-26 07:22
Modified
2024-08-02 19:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting (XSS)
Summary
Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: prior to v3.4.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:16:51.003Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v3.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:22:50.373Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-42436",
"datePublished": "2023-12-26T07:22:50.373Z",
"dateReserved": "2023-12-07T02:39:45.772Z",
"dateUpdated": "2024-08-02T19:16:51.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20669 (GCVE-0-2021-20669)
Vulnerability from cvelistv5
Published
2021-03-10 09:20
Modified
2024-08-03 17:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Path Traversal
Summary
Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: versions v4.2.2 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:45:45.355Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions v4.2.2 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-10T09:20:32",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20669",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions v4.2.2 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"name": "https://jvn.jp/en/vu/JVNVU94889258/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20669",
"datePublished": "2021-03-10T09:20:32",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:45:45.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-0654 (GCVE-0-2018-0654)
Vulnerability from cvelistv5
Published
2018-09-07 14:00
Modified
2024-08-05 03:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: v.3.1.11 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:49.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "v.3.1.11 and earlier"
}
]
}
],
"datePublic": "2018-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-07T13:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0654",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "v.3.1.11 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/",
"refsource": "CONFIRM",
"url": "https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/"
},
{
"name": "JVN#18716340",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN18716340/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0654",
"datePublished": "2018-09-07T14:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:49.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20829 (GCVE-0-2021-20829)
Vulnerability from cvelistv5
Published
2021-09-21 09:25
Modified
2024-08-03 17:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Cross-site scripting vulnerability due to the inadequate tag sanitization in GROWI versions v4.2.19 and earlier allows remote attackers to execute an arbitrary script on the web browser of the user who accesses a specially crafted page.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: versions v4.2.19 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:23.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/09/17/vulnerability/growi-prevent-multiple-xss-addition/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions v4.2.19 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability due to the inadequate tag sanitization in GROWI versions v4.2.19 and earlier allows remote attackers to execute an arbitrary script on the web browser of the user who accesses a specially crafted page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-21T09:25:10",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/09/17/vulnerability/growi-prevent-multiple-xss-addition/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20829",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions v4.2.19 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability due to the inadequate tag sanitization in GROWI versions v4.2.19 and earlier allows remote attackers to execute an arbitrary script on the web browser of the user who accesses a specially crafted page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jvn.jp/en/vu/JVNVU94889258/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
},
{
"name": "https://weseek.co.jp/security/2021/09/17/vulnerability/growi-prevent-multiple-xss-addition/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/09/17/vulnerability/growi-prevent-multiple-xss-addition/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20829",
"datePublished": "2021-09-21T09:25:10",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:23.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20668 (GCVE-0-2021-20668)
Vulnerability from cvelistv5
Published
2021-03-10 09:20
Modified
2024-08-03 17:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Path Traversal
Summary
Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: versions v4.2.2 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:45:45.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "versions v4.2.2 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-10T09:20:31",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20668",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GROWI",
"version": {
"version_data": [
{
"version_value": "versions v4.2.2 and earlier"
}
]
}
}
]
},
"vendor_name": "WESEEK, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/",
"refsource": "MISC",
"url": "https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/"
},
{
"name": "https://jvn.jp/en/vu/JVNVU94889258/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU94889258/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20668",
"datePublished": "2021-03-10T09:20:31",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:45:45.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49119 (GCVE-0-2023-49119)
Vulnerability from cvelistv5
Published
2023-12-26 07:20
Modified
2024-11-27 15:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting (XSS)
Summary
Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: prior to v6.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:29.293Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-10T20:31:53.312588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T15:22:12.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:20:58.393Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49119",
"datePublished": "2023-12-26T07:20:58.393Z",
"dateReserved": "2023-12-07T02:39:46.701Z",
"dateUpdated": "2024-11-27T15:22:12.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49598 (GCVE-0-2023-49598)
Vulnerability from cvelistv5
Published
2023-12-26 07:21
Modified
2024-08-02 22:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting (XSS)
Summary
Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WESEEK, Inc. | GROWI |
Version: prior to v6.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.946Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "WESEEK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T07:21:02.611Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
},
{
"url": "https://jvn.jp/en/jp/JVN18715935/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49598",
"datePublished": "2023-12-26T07:21:02.611Z",
"dateReserved": "2023-12-07T02:39:42.967Z",
"dateUpdated": "2024-08-02T22:01:25.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}