6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.7 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
18.2%
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
Stored cross-site scripting vulnerability in the presentation feature (CWE-79) - CVE-2023-42436
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Stored cross-site scripting vulnerability in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page (CWE-79) - CVE-2023-45737
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Stored cross-site scripting vulnerability when processing profile images (CWE-79) - CVE-2023-45740
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Cross-site request forgery vulnerability in the User settings (/me) page (CWE-352) - CVE-2023-46699
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | Base Score: 3.5 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Stored cross-site scripting vulnerability exploiting a behavior of the XSS Filter (CWE-79) - CVE-2023-47215
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Stored cross-site scripting vulnerability via the img tags (CWE-79) - CVE-2023-49119
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Stored cross-site scripting vulnerability in the event handlers of the pre tags (CWE-79) - CVE-2023-49598
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Stored cross-site scripting vulnerability in the anchor tag (CWE-79) - CVE-2023-49779
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Stored cross-site scripting vulnerability when processing the MathJax (CWE-79) - CVE-2023-49807
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Stored cross-site scripting vulnerability in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page (CWE-79) - CVE-2023-50175
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Cleartext storage of sensitive information vulnerability in the App Settings (/admin/app) page’s Secret access key (CWE-312) - CVE-2023-50294
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | Base Score: 4.9 |
CVSS v2 | AV:N/AC:L/Au:S/C:P/I:N/A:N | Base Score: 4.0 |
Improper authorization in the User Management (/admin/users) page (CWE-285) - CVE-2023-50332
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | Base Score: 4.3 |
CVSS v2 | AV:N/AC:L/Au:N/C:N/I:P/A:N | Base Score: 5.0 |
Stored cross-site scripting vulnerability in the User Management (/admin/users) page** (CWE-79)** - CVE-2023-50339
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has released the following versions that contain fixes for the vulnerabilities.
CVE-2023-42436
GROWI v3.4.0 or later
CVE-2023-45737
GROWI v3.5.0 or later
CVE-2023-45740
GROWI v4.1.3 or later
CVE-2023-46699, CVE-2023-47215, CVE-2023-49119, CVE-2023-49598, CVE-2023-49779, CVE-2023-49807, CVE-2023-50175
GROWI v6.0.0 or later
CVE-2023-50294, CVE-2023-50332
GROWI v6.0.6 or later
CVE-2023-50339
GROWI v6.1.11 or later
CVE-2023-42436
GROWI versions prior to v3.4.0
CVE-2023-45737
GROWI versions prior to v3.5.0
CVE-2023-45740
GROWI versions prior to v4.1.3
CVE-2023-46699, CVE-2023-47215, CVE-2023-49119, CVE-2023-49598, CVE-2023-49779, CVE-2023-49807, CVE-2023-50175
GROWI versions prior to v6.0.0
CVE-2023-50294, CVE-2023-50332
GROWI versions prior to v6.0.6
CVE-2023-50339
GROWI versions prior to v6.1.11
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.7 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
18.2%