cvelistv5 - cve-2023-45740

CVE-2023-45740 (GCVE-0-2023-45740)

Vulnerability from cvelistv5

Published

2023-12-26 07:20

Modified

2025-04-23 16:03

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

Cross-site scripting (XSS)

Summary

Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.

References

►

URL

Tags

	https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/
	https://jvn.jp/en/jp/JVN18715935/

Impacted products

	Vendor	Product	Version
	WESEEK, Inc.	GROWI	Version: prior to v4.1.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:29:32.245Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN18715935/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-45740",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-02T17:52:27.722596Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:03:49.231Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GROWI",
          "vendor": "WESEEK, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v4.1.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting (XSS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-26T07:20:42.853Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN18715935/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2023-45740",
    "datePublished": "2023-12-26T07:20:42.853Z",
    "dateReserved": "2023-12-07T02:39:50.226Z",
    "dateUpdated": "2025-04-23T16:03:49.231Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"vendor\": \"WESEEK, Inc.\", \"product\": \"GROWI\", \"versions\": [{\"version\": \"prior to v4.1.3\", \"status\": \"affected\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.\"}], \"problemTypes\": [{\"descriptions\": [{\"description\": \"Cross-site scripting (XSS)\", \"lang\": \"en\", \"type\": \"text\"}]}], \"references\": [{\"url\": \"https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/\"}, {\"url\": \"https://jvn.jp/en/jp/JVN18715935/\"}], \"providerMetadata\": {\"orgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"shortName\": \"jpcert\", \"dateUpdated\": \"2023-12-26T07:20:42.853Z\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T20:29:32.245Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://jvn.jp/en/jp/JVN18715935/\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-45740\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-01-02T17:52:27.722596Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T16:03:03.776Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-45740\", \"assignerOrgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"jpcert\", \"dateReserved\": \"2023-12-07T02:39:50.226Z\", \"datePublished\": \"2023-12-26T07:20:42.853Z\", \"dateUpdated\": \"2025-04-23T16:03:49.231Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

cve-2023-45740

Vulnerability from jvndb

Published

2023-12-13 15:30

Modified

2024-03-19 17:46

Severity ?

4.3 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Summary

Multiple vulnerabilities in GROWI

Details

GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. <ul><li>Stored cross-site scripting vulnerability in the presentation feature (CWE-79) - CVE-2023-42436</li><li>Stored cross-site scripting vulnerability in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page (CWE-79) - CVE-2023-45737</li><li>Stored cross-site scripting vulnerability when processing profile images (CWE-79) - CVE-2023-45740</li><li>Cross-site request forgery vulnerability in the User settings (/me) page (CWE-352) - CVE-2023-46699</li><li>Stored cross-site scripting vulnerability exploiting a behavior of the XSS Filter (CWE-79) - CVE-2023-47215</li><li>Stored cross-site scripting vulnerability via the img tags (CWE-79) - CVE-2023-49119</li><li>Stored cross-site scripting vulnerability in the event handlers of the pre tags (CWE-79) - CVE-2023-49598</li><li>Stored cross-site scripting vulnerability in the anchor tag (CWE-79) - CVE-2023-49779</li><li>Stored cross-site scripting vulnerability when processing the MathJax (CWE-79) - CVE-2023-49807</li><li>Stored cross-site scripting vulnerability in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page (CWE-79) - CVE-2023-50175</li><li>Cleartext storage of sensitive information vulnerability in the App Settings (/admin/app) page's Secret access key (CWE-312) - CVE-2023-50294</li><li>Improper authorization in the User Management (/admin/users) page (CWE-285) - CVE-2023-50332</li><li>Stored cross-site scripting vulnerability in the User Management (/admin/users) page (CWE-79) - CVE-2023-50339</li></ul> CVE-2023-42436 Kakeru Kajihara of NTT-ME System Operation Center reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-45737 Naoki Takayama of University of Tsukuba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-45740 Kanta Nishitani of GMO Cybersecurity by Ierae Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-46699 Norihide Saito reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-47215, CVE-2023-49779 Naoya Miyaguchi of Kanmu, Inc reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-49119 Naoki Takayama of University of Tsukuba, Suguru Itagaki of NTT-ME System Operation Center, and Norihide Saito of Flatt Security inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-49598 Naoya Miyaguchi of Kanmu, Inc, SHO ODAGIRI of GMO Cybersecurity by Ierae Inc., Tsubasa Fujii (@reinforchu), Eiji Mori of Flatt Security Inc., Shiga Takuma of BroadBand Security Inc., and Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-49807 Naoya Miyaguchi of Kanmu, Inc and Naoki Takayama of University of Tsukuba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-50175 Norihide Saito of Flatt Security inc., Naoya Miyaguchi of Kanmu, Inc, and Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-50294, CVE-2023-50332, CVE-2023-50339 Norihide Saito of Flatt Security inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

►

Type

URL

	JVN	https://jvn.jp/en/jp/JVN18715935/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-42436
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-45737
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-45740
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-46699
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-47215
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-49119
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-49598
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-49779
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-49807
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-50175
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-50294
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-50332
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-50339
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-42436
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-45737
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-45740
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-46699
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-47215
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-49119
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-49598
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-49779
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-49807
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-50175
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-50294
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-50332
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-50339
	Cross-Site Request Forgery(CWE-352)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

►

Vendor

Product

WESEEK, Inc.

GROWI

Show details on JVN DB website