Refine your search
13 vulnerabilities found for GROWI by WESEEK, Inc.
jvndb-2023-000123
Vulnerability from jvndb
Published
2023-12-13 15:30
Modified
2024-03-19 17:46
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
<ul><li>Stored cross-site scripting vulnerability in the presentation feature (CWE-79) - CVE-2023-42436</li><li>Stored cross-site scripting vulnerability in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page (CWE-79) - CVE-2023-45737</li><li>Stored cross-site scripting vulnerability when processing profile images (CWE-79) - CVE-2023-45740</li><li>Cross-site request forgery vulnerability in the User settings (/me) page (CWE-352) - CVE-2023-46699</li><li>Stored cross-site scripting vulnerability exploiting a behavior of the XSS Filter (CWE-79) - CVE-2023-47215</li><li>Stored cross-site scripting vulnerability via the img tags (CWE-79) - CVE-2023-49119</li><li>Stored cross-site scripting vulnerability in the event handlers of the pre tags (CWE-79) - CVE-2023-49598</li><li>Stored cross-site scripting vulnerability in the anchor tag (CWE-79) - CVE-2023-49779</li><li>Stored cross-site scripting vulnerability when processing the MathJax (CWE-79) - CVE-2023-49807</li><li>Stored cross-site scripting vulnerability in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page (CWE-79) - CVE-2023-50175</li><li>Cleartext storage of sensitive information vulnerability in the App Settings (/admin/app) page's Secret access key (CWE-312) - CVE-2023-50294</li><li>Improper authorization in the User Management (/admin/users) page (CWE-285) - CVE-2023-50332</li><li>Stored cross-site scripting vulnerability in the User Management (/admin/users) page (CWE-79) - CVE-2023-50339</li></ul>
CVE-2023-42436
Kakeru Kajihara of NTT-ME System Operation Center reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-45737
Naoki Takayama of University of Tsukuba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-45740
Kanta Nishitani of GMO Cybersecurity by Ierae Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-46699
Norihide Saito reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-47215, CVE-2023-49779
Naoya Miyaguchi of Kanmu, Inc reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-49119
Naoki Takayama of University of Tsukuba, Suguru Itagaki of NTT-ME System Operation Center, and Norihide Saito of Flatt Security inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-49598
Naoya Miyaguchi of Kanmu, Inc, SHO ODAGIRI of GMO Cybersecurity by Ierae Inc., Tsubasa Fujii (@reinforchu), Eiji Mori of Flatt Security Inc., Shiga Takuma of BroadBand Security Inc., and Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-49807
Naoya Miyaguchi of Kanmu, Inc and Naoki Takayama of University of Tsukuba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-50175
Norihide Saito of Flatt Security inc., Naoya Miyaguchi of Kanmu, Inc, and Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-50294, CVE-2023-50332, CVE-2023-50339
Norihide Saito of Flatt Security inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000123.html",
"dc:date": "2024-03-19T17:46+09:00",
"dcterms:issued": "2023-12-13T15:30+09:00",
"dcterms:modified": "2024-03-19T17:46+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eStored cross-site scripting vulnerability in the presentation feature (CWE-79) - CVE-2023-42436\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page (CWE-79) - CVE-2023-45737\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability when processing profile images (CWE-79) - CVE-2023-45740\u003c/li\u003e\u003cli\u003eCross-site request forgery vulnerability in the User settings (/me) page (CWE-352) - CVE-2023-46699\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability exploiting a behavior of the XSS Filter (CWE-79) - CVE-2023-47215\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability via the img tags (CWE-79) - CVE-2023-49119\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the event handlers of the pre tags (CWE-79) - CVE-2023-49598\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the anchor tag (CWE-79) - CVE-2023-49779\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability when processing the MathJax (CWE-79) - CVE-2023-49807\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page (CWE-79) - CVE-2023-50175\u003c/li\u003e\u003cli\u003eCleartext storage of sensitive information vulnerability in the App Settings (/admin/app) page\u0027s Secret access key (CWE-312) - CVE-2023-50294\u003c/li\u003e\u003cli\u003eImproper authorization in the User Management (/admin/users) page (CWE-285) - CVE-2023-50332\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the User Management (/admin/users) page (CWE-79) - CVE-2023-50339\u003c/li\u003e\u003c/ul\u003e\r\nCVE-2023-42436\r\nKakeru Kajihara of NTT-ME System Operation Center reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-45737\r\nNaoki Takayama of University of Tsukuba reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-45740\r\nKanta Nishitani of GMO Cybersecurity by Ierae Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-46699\r\nNorihide Saito reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-47215, CVE-2023-49779\r\nNaoya Miyaguchi of Kanmu, Inc reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49119\r\nNaoki Takayama of University of Tsukuba, Suguru Itagaki of NTT-ME System Operation Center, and Norihide Saito of Flatt Security inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49598\r\nNaoya Miyaguchi of Kanmu, Inc, SHO ODAGIRI of GMO Cybersecurity by Ierae Inc., Tsubasa Fujii (@reinforchu), Eiji Mori of Flatt Security Inc., Shiga Takuma of BroadBand Security Inc., and Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49807\r\nNaoya Miyaguchi of Kanmu, Inc and Naoki Takayama of University of Tsukuba reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-50175\r\nNorihide Saito of Flatt Security inc., Naoya Miyaguchi of Kanmu, Inc, and Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-50294, CVE-2023-50332, CVE-2023-50339\r\nNorihide Saito of Flatt Security inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000123.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000123",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN18715935/index.html",
"@id": "JVN#18715935",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-42436",
"@id": "CVE-2023-42436",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-45737",
"@id": "CVE-2023-45737",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-45740",
"@id": "CVE-2023-45740",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-46699",
"@id": "CVE-2023-46699",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-47215",
"@id": "CVE-2023-47215",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49119",
"@id": "CVE-2023-49119",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49598",
"@id": "CVE-2023-49598",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49779",
"@id": "CVE-2023-49779",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49807",
"@id": "CVE-2023-49807",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50175",
"@id": "CVE-2023-50175",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50294",
"@id": "CVE-2023-50294",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50332",
"@id": "CVE-2023-50332",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50339",
"@id": "CVE-2023-50339",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-42436",
"@id": "CVE-2023-42436",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45737",
"@id": "CVE-2023-45737",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45740",
"@id": "CVE-2023-45740",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-46699",
"@id": "CVE-2023-46699",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-47215",
"@id": "CVE-2023-47215",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49119",
"@id": "CVE-2023-49119",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49598",
"@id": "CVE-2023-49598",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49779",
"@id": "CVE-2023-49779",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49807",
"@id": "CVE-2023-49807",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50175",
"@id": "CVE-2023-50175",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50294",
"@id": "CVE-2023-50294",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50332",
"@id": "CVE-2023-50332",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50339",
"@id": "CVE-2023-50339",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-352",
"@title": "Cross-Site Request Forgery(CWE-352)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2022-000076
Vulnerability from jvndb
Published
2022-10-07 14:30
Modified
2024-06-12 12:04
Severity ?
Summary
Growi vulnerable to improper access control
Details
GROWI provided by WESEEK, Inc. contains an improper access control vulnerability (CWE-284).
Kenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000076.html",
"dc:date": "2024-06-12T12:04+09:00",
"dcterms:issued": "2022-10-07T14:30+09:00",
"dcterms:modified": "2024-06-12T12:04+09:00",
"description": "GROWI provided by WESEEK, Inc. contains an improper access control vulnerability (CWE-284).\r\n\r\nKenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000076.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-000076",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN00845253/index.html",
"@id": "JVN#00845253",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-41799",
"@id": "CVE-2022-41799",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-41799",
"@id": "CVE-2022-41799",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
}
],
"title": "Growi vulnerable to improper access control"
}
jvndb-2022-001953
Vulnerability from jvndb
Published
2022-06-15 17:47
Modified
2022-06-15 17:47
Severity ?
Summary
Growi vulnerable to weak password requirements
Details
GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236).
418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
References
| Type | URL | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001953.html",
"dc:date": "2022-06-15T17:47+09:00",
"dcterms:issued": "2022-06-15T17:47+09:00",
"dcterms:modified": "2022-06-15T17:47+09:00",
"description": "GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236).\r\n\r\n418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001953.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.5",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-001953",
"sec:references": [
{
"#text": "http://jvn.jp/en/vu/JVNVU96438711/index.html",
"@id": "JVNVU#96438711",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-1236",
"@id": "CVE-2022-1236",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-1236",
"@id": "CVE-2022-1236",
"@source": "NVD"
},
{
"#text": "https://huntr.dev/bounties/c7df088f-e355-45e6-9267-e41030dc6a32/?token=7f784544ffb530a9e6bef04557518633e763810d60f107095451c58b34645b81ad18529d3ea12f3b61ba547c99a0d87b2324e52da6efc4b01ec175416c479099bf5de3d16b8f07f0758556c278d058872597936f0e4fea7acb2bd2bc",
"@id": "Weak Password Requirements in weseek/growi",
"@source": "Related document"
},
{
"#text": "https://cwe.mitre.org/data/definitions/521.html",
"@id": "CWE-521",
"@title": "Weak Password Requirements(CWE-521)"
}
],
"title": "Growi vulnerable to weak password requirements"
}
jvndb-2022-001087
Vulnerability from jvndb
Published
2022-01-24 14:07
Modified
2022-01-24 14:07
Severity ?
Summary
GROWI vulnerable to authorization bypass through user-controlled key
Details
GROWI provided by WESEEK, Inc. contains an authorization bypass through user-controlled key vulnerability (CWE-639, CVE-2021-3852).
huntr first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as an intermediator. After the coordination between huntr and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
References
| Type | URL | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001087.html",
"dc:date": "2022-01-24T14:07+09:00",
"dcterms:issued": "2022-01-24T14:07+09:00",
"dcterms:modified": "2022-01-24T14:07+09:00",
"description": "GROWI provided by WESEEK, Inc. contains an authorization bypass through user-controlled key vulnerability (CWE-639, CVE-2021-3852).\r\n\r\nhuntr first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as an intermediator. After the coordination between huntr and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001087.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-001087",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU94151526/",
"@id": "JVNVU#94151526",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2021-3852",
"@id": "CVE-2021-3852",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-3852",
"@id": "CVE-2021-3852",
"@source": "NVD"
},
{
"#text": "https://huntr.dev/bounties/d44def81-2834-4031-9037-e923975c3852/",
"@id": "Authorization Bypass Through User-Controlled Key in weseek/growi",
"@source": "Related document"
},
{
"#text": "https://vuldb.com/?id.190179",
"@id": "VDB-190179 (GROWI AUTHORIZATION)",
"@source": "Related document"
},
{
"#text": "https://cwe.mitre.org/data/definitions/639.html",
"@id": "CWE-639",
"@title": "Authorization Bypass Through User-Controlled Key(CWE-639)"
}
],
"title": "GROWI vulnerable to authorization bypass through user-controlled key"
}
jvndb-2021-000050
Vulnerability from jvndb
Published
2021-06-14 15:10
Modified
2021-06-14 15:10
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
*NoSQL injection (CWE-943) - CVE-2021-20736
*Improper authentication (CWE-287) - CVE-2021-20737
References
| Type | URL | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000050.html",
"dc:date": "2021-06-14T15:10+09:00",
"dcterms:issued": "2021-06-14T15:10+09:00",
"dcterms:modified": "2021-06-14T15:10+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n*NoSQL injection (CWE-943) - CVE-2021-20736\r\n*Improper authentication (CWE-287) - CVE-2021-20737",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000050.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000050",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN95457785/",
"@id": "JVN#95457785",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20736",
"@id": "CVE-2021-20736",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20737",
"@id": "CVE-2021-20737",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20736",
"@id": "CVE-2021-20736",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20737",
"@id": "CVE-2021-20737",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-287",
"@title": "Improper Authentication(CWE-287)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2021-000019
Vulnerability from jvndb
Published
2021-03-10 16:11
Modified
2021-03-10 16:11
Severity ?
Summary
Multiple cross-site scripting vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.
*Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters (CWE-79) - CVE-2021-20672
*Stored cross-site scripting vulnerability in Admin Page (CWE-79) - CVE-2021-20673
Naoya Miyaguchi of 3-shake Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000019.html",
"dc:date": "2021-03-10T16:11+09:00",
"dcterms:issued": "2021-03-10T16:11+09:00",
"dcterms:modified": "2021-03-10T16:11+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.\r\n*Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters (CWE-79) - CVE-2021-20672\r\n*Stored cross-site scripting vulnerability in Admin Page (CWE-79) - CVE-2021-20673\r\n\r\nNaoya Miyaguchi of 3-shake Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000019.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "3.5",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000019",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN86438134/index.html",
"@id": "JVN#86438134",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20672",
"@id": "CVE-2021-20672",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20673",
"@id": "CVE-2021-20673",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20672",
"@id": "CVE-2021-20672",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20673",
"@id": "CVE-2021-20673",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple cross-site scripting vulnerabilities in GROWI"
}
jvndb-2021-001123
Vulnerability from jvndb
Published
2021-03-09 14:17
Modified
2021-09-24 13:34
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
Stored Cross-site Scripting (CWE-79) - CVE-2021-20667
Path Traversal (CWE-22) - CVE-2021-20668
Path Traversal (CWE-22) - CVE-2021-20669
Improper Access Control (CWE-284) - CVE-2021-20670
Improper Input Validation (CWE-20) - CVE-2021-20671
Site Scripting (CWE-79) - CVE-2021-20829
stypr of Flatt Security Inc. reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.
References
| Type | URL | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-001123.html",
"dc:date": "2021-09-24T13:34+09:00",
"dcterms:issued": "2021-03-09T14:17+09:00",
"dcterms:modified": "2021-09-24T13:34+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n\r\n Stored Cross-site Scripting (CWE-79) - CVE-2021-20667\r\n Path Traversal (CWE-22) - CVE-2021-20668\r\n Path Traversal (CWE-22) - CVE-2021-20669\r\n Improper Access Control (CWE-284) - CVE-2021-20670\r\n Improper Input Validation (CWE-20) - CVE-2021-20671\r\n Site Scripting (CWE-79) - CVE-2021-20829\r\n\r\nstypr of Flatt Security Inc. reported these vulnerabilities to the developer and coordinated on his own.\r\nAfter coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-001123.html",
"sec:cpe": [
{
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "3.7",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2021-001123",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU94889258/",
"@id": "JVNVU#94889258",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20667",
"@id": "CVE-2021-20667",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20668",
"@id": "CVE-2021-20668",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20669",
"@id": "CVE-2021-20669",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20670",
"@id": "CVE-2021-20670",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20671",
"@id": "CVE-2021-20671",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20829",
"@id": "CVE-2021-20829",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20667",
"@id": "CVE-2021-20667",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20668",
"@id": "CVE-2021-20668",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20669",
"@id": "CVE-2021-20669",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20670",
"@id": "CVE-2021-20670",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20671",
"@id": "CVE-2021-20671",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20829",
"@id": "CVE-2021-20829",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/284.html",
"@id": "CWE-284",
"@title": "Improper Access Control(CWE-284)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2021-000005
Vulnerability from jvndb
Published
2021-01-19 14:05
Modified
2021-01-19 14:05
Severity ?
Summary
GROWI vulnerable to cross-site scripting
Details
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000005.html",
"dc:date": "2021-01-19T14:05+09:00",
"dcterms:issued": "2021-01-19T14:05+09:00",
"dcterms:modified": "2021-01-19T14:05+09:00",
"description": "GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000005.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000005",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN57544707/index.html",
"@id": "JVN#57544707",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20619",
"@id": "CVE-2021-20619",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20619",
"@id": "CVE-2021-20619",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "GROWI vulnerable to cross-site scripting"
}
jvndb-2020-000085
Vulnerability from jvndb
Published
2020-12-15 15:41
Modified
2021-08-30 16:29
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
* Denial-of-service (DoS) due to improper verification of input values (CWE-400) - CVE-2020-5682
* Directory traversal due to improper verification of uploaded files (CWE-22) - CVE-2020-5683
These vulnerabilities were reported by the following persons to IPA, and JPCERT/CC coordinated coordinated with the developer under Information Security Early Warning Partnership.
CVE-2020-5682
Norihide Saito of Information Science College / Flatt Security inc.
CVE-2020-5683
Daisuke Takahashi of CyberAgent, Inc.
References
| Type | URL | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000085.html",
"dc:date": "2021-08-30T16:29+09:00",
"dcterms:issued": "2020-12-15T15:41+09:00",
"dcterms:modified": "2021-08-30T16:29+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n* Denial-of-service (DoS) due to improper verification of input values (CWE-400) - CVE-2020-5682\r\n* Directory traversal due to improper verification of uploaded files (CWE-22) - CVE-2020-5683\r\n\r\nThese vulnerabilities were reported by the following persons to IPA, and JPCERT/CC coordinated coordinated with the developer under Information Security Early Warning Partnership.\r\nCVE-2020-5682\r\nNorihide Saito of Information Science College / Flatt Security inc.\r\nCVE-2020-5683\r\nDaisuke Takahashi of CyberAgent, Inc.",
"link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000085.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"@version": "2.0"
},
{
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2020-000085",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN94169589/index.html",
"@id": "JVN#94169589",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5682",
"@id": "CVE-2020-5682",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5683",
"@id": "CVE-2020-5683",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5682",
"@id": "CVE-2020-5682",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5683",
"@id": "CVE-2020-5683",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2020-000077
Vulnerability from jvndb
Published
2020-11-25 14:54
Modified
2020-11-25 14:54
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
* Information disclosure (CWE-200) - CVE-2020-5676
* Reflected cross-site scripting vulnerability due to a flaw in processing input URLs (CWE-79) - CVE-2020-5677
* Stored cross-site scripting vulnerability due to a flaw in processing POST requests (CWE-79) - CVE-2020-5678
Norihide Saito of information science college reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000077.html",
"dc:date": "2020-11-25T14:54+09:00",
"dcterms:issued": "2020-11-25T14:54+09:00",
"dcterms:modified": "2020-11-25T14:54+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n\r\n* Information disclosure (CWE-200) - CVE-2020-5676\r\n* Reflected cross-site scripting vulnerability due to a flaw in processing input URLs (CWE-79) - CVE-2020-5677\r\n* Stored cross-site scripting vulnerability due to a flaw in processing POST requests (CWE-79) - CVE-2020-5678\r\n\r\nNorihide Saito of information science college reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000077.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2020-000077",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN56450373/index.html",
"@id": "JVN#56450373",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5676",
"@id": "CVE-2020-5676",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5677",
"@id": "CVE-2020-5677",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5678",
"@id": "CVE-2020-5678",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5676",
"@id": "CVE-2020-5676",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5677",
"@id": "CVE-2020-5677",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5678",
"@id": "CVE-2020-5678",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-200",
"@title": "Information Exposure(CWE-200)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2019-000033
Vulnerability from jvndb
Published
2019-06-07 15:18
Modified
2019-10-01 10:46
Severity ?
Summary
Multiple vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
* Cross-site request forgery vulnerability in the process of updating user's "Basic Info" (CWE-352) - CVE-2019-5968
* Open redirect vulnerability in the process of login (CWE-601) - CVE-2019-5969
Security Group of DeCurret Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000033.html",
"dc:date": "2019-10-01T10:46+09:00",
"dcterms:issued": "2019-06-07T15:18+09:00",
"dcterms:modified": "2019-10-01T10:46+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. \r\n* Cross-site request forgery vulnerability in the process of updating user\u0027s \"Basic Info\" (CWE-352) - CVE-2019-5968\r\n* Open redirect vulnerability in the process of login (CWE-601) - CVE-2019-5969\r\n\r\nSecurity Group of DeCurret Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000033.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2019-000033",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN84876282/index.html",
"@id": "JVN#84876282",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5968",
"@id": "CVE-2019-5968",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5969",
"@id": "CVE-2019-5969",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-5968",
"@id": "CVE-2019-5968",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-5969",
"@id": "CVE-2019-5969",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-352",
"@title": "Cross-Site Request Forgery(CWE-352)"
}
],
"title": "Multiple vulnerabilities in GROWI"
}
jvndb-2018-000137
Vulnerability from jvndb
Published
2018-12-26 16:36
Modified
2019-08-27 15:07
Severity ?
Summary
GROWI vulnerable to cross-site scripting
Details
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).
The settings option for enabling and disabling the measures against cross-site scripting ("Enable XSS prevention" option) was introduced in v3.1.12. However, there was an issue with the implementation where the option looks enabled although the measures are disabled. This vulnerability was addressed in v3.2.4 according to the developer.
Takashi Yoneuchi of The University of Tokyo College of Arts and Sciences reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000137.html",
"dc:date": "2019-08-27T15:07+09:00",
"dcterms:issued": "2018-12-26T16:36+09:00",
"dcterms:modified": "2019-08-27T15:07+09:00",
"description": "GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nThe settings option for enabling and disabling the measures against cross-site scripting (\"Enable XSS prevention\" option) was introduced in v3.1.12. However, there was an issue with the implementation where the option looks enabled although the measures are disabled. This vulnerability was addressed in v3.2.4 according to the developer.\r\n\r\nTakashi Yoneuchi of The University of Tokyo College of Arts and Sciences reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000137.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "5.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2018-000137",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN96493183/index.html",
"@id": "JVN#96493183",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0698",
"@id": "CVE-2018-0698",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16205",
"@id": "CVE-2018-16205",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0698",
"@id": "CVE-2018-0698",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-16205",
"@id": "CVE-2018-16205",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "GROWI vulnerable to cross-site scripting"
}
jvndb-2018-000085
Vulnerability from jvndb
Published
2018-08-03 15:04
Modified
2019-07-05 17:13
Severity ?
Summary
Multiple cross-site scripting vulnerabilities in GROWI
Details
GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.
* Stored cross-site scripting vulnerability in the UserGroup Management section of admin page (CWE-79) - CVE-2018-0652
* Stored cross-site scripting vulnerability in Wiki page view (CWE-79) - CVE-2018-0653
* Reflected cross-site scripting vulnerability in the modal for creating Wiki page (CWE-79) - CVE-2018-0654
* Stored cross-site scripting in the app settings section of admin page (CWE-79) - CVE-2018-0655
The following researchers reported the vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2018-0652, CVE-2018-0653
Yoshinori Hayashi of Information Science College
CVE-2018-0654, CVE-2018-0655
Kanta Nishitani of Information Science College
References
| Type | URL | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000085.html",
"dc:date": "2019-07-05T17:13+09:00",
"dcterms:issued": "2018-08-03T15:04+09:00",
"dcterms:modified": "2019-07-05T17:13+09:00",
"description": "GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below. \r\n* Stored cross-site scripting vulnerability in the UserGroup Management section of admin page (CWE-79) - CVE-2018-0652 \r\n* Stored cross-site scripting vulnerability in Wiki page view (CWE-79) - CVE-2018-0653 \r\n* Reflected cross-site scripting vulnerability in the modal for creating Wiki page (CWE-79) - CVE-2018-0654 \r\n* Stored cross-site scripting in the app settings section of admin page (CWE-79) - CVE-2018-0655\r\n\r\nThe following researchers reported the vulnerabilities to IPA.\r\n JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\n CVE-2018-0652, CVE-2018-0653\r\n Yoshinori Hayashi of Information Science College\r\n\r\n CVE-2018-0654, CVE-2018-0655\r\n Kanta Nishitani of Information Science College",
"link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000085.html",
"sec:cpe": {
"#text": "cpe:/a:weseek:growi",
"@product": "GROWI",
"@vendor": "WESEEK, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2018-000085",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN18716340/index.html",
"@id": "JVN#18716340",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0652",
"@id": "CVE-2018-0652",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0653",
"@id": "CVE-2018-0653",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0654",
"@id": "CVE-2018-0654",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0655",
"@id": "CVE-2018-0655",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0652",
"@id": "CVE-2018-0652",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0653",
"@id": "CVE-2018-0653",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0654",
"@id": "CVE-2018-0654",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0655",
"@id": "CVE-2018-0655",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple cross-site scripting vulnerabilities in GROWI"
}