Vulnerability-Lookup

CVE-2023-45740 (GCVE-0-2023-45740)

Vulnerability from cvelistv5 – Published: 2023-12-26 07:20 – Updated: 2025-04-23 16:03

Summary

Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

Cross-site scripting (XSS)

Assigner

jpcert

References

URL

Tags

	https://weseek.co.jp/ja/news/2023/11/21/growi-pre…
	https://jvn.jp/en/jp/JVN18715935/

Impacted products

	Vendor	Product	Version
	WESEEK, Inc.	GROWI	Affected: prior to v4.1.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:29:32.245Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN18715935/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-45740",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-02T17:52:27.722596Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:03:49.231Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GROWI",
          "vendor": "WESEEK, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v4.1.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting (XSS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-26T07:20:42.853Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN18715935/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2023-45740",
    "datePublished": "2023-12-26T07:20:42.853Z",
    "dateReserved": "2023-12-07T02:39:50.226Z",
    "dateUpdated": "2025-04-23T16:03:49.231Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"vendor\": \"WESEEK, Inc.\", \"product\": \"GROWI\", \"versions\": [{\"version\": \"prior to v4.1.3\", \"status\": \"affected\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.\"}], \"problemTypes\": [{\"descriptions\": [{\"description\": \"Cross-site scripting (XSS)\", \"lang\": \"en\", \"type\": \"text\"}]}], \"references\": [{\"url\": \"https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/\"}, {\"url\": \"https://jvn.jp/en/jp/JVN18715935/\"}], \"providerMetadata\": {\"orgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"shortName\": \"jpcert\", \"dateUpdated\": \"2023-12-26T07:20:42.853Z\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T20:29:32.245Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://jvn.jp/en/jp/JVN18715935/\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-45740\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-01-02T17:52:27.722596Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T16:03:03.776Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-45740\", \"assignerOrgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"jpcert\", \"dateReserved\": \"2023-12-07T02:39:50.226Z\", \"datePublished\": \"2023-12-26T07:20:42.853Z\", \"dateUpdated\": \"2025-04-23T16:03:49.231Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2023-45740

Vulnerability from fkie_nvd - Published: 2023-12-26 08:15 - Updated: 2025-04-23 16:15

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
vultures@jpcert.or.jp	https://jvn.jp/en/jp/JVN18715935/	Third Party Advisory
vultures@jpcert.or.jp	https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jvn.jp/en/jp/JVN18715935/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/	Vendor Advisory

Impacted products

	Vendor	Product	Version
	weseek	growi	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:weseek:growi:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2A391DBE-7AF1-4D74-9AA0-DBA4B971D298",
              "versionEndExcluding": "4.1.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
    },
    {
      "lang": "es",
      "value": "La vulnerabilidad de cross-site scripting almacenado al procesar im\u00e1genes de perfil existe en las versiones de GROWI anteriores a la v4.1.3. Si se explota esta vulnerabilidad, se puede ejecutar un script arbitrario en el navegador web del usuario que accedi\u00f3 al sitio utilizando el producto."
    }
  ],
  "id": "CVE-2023-45740",
  "lastModified": "2025-04-23T16:15:29.263",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-12-26T08:15:10.010",
  "references": [
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://jvn.jp/en/jp/JVN18715935/"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://jvn.jp/en/jp/JVN18715935/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
    }
  ],
  "sourceIdentifier": "vultures@jpcert.or.jp",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GSD-2023-45740

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-45740

Aliases

CVE-2023-45740

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-45740",
    "id": "GSD-2023-45740"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-45740"
      ],
      "details": "Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.",
      "id": "GSD-2023-45740",
      "modified": "2023-12-13T01:20:38.046017Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "vultures@jpcert.or.jp",
        "ID": "CVE-2023-45740",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "GROWI",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "prior to v4.1.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "WESEEK, Inc."
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross-site scripting (XSS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/",
            "refsource": "MISC",
            "url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
          },
          {
            "name": "https://jvn.jp/en/jp/JVN18715935/",
            "refsource": "MISC",
            "url": "https://jvn.jp/en/jp/JVN18715935/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:weseek:growi:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "2A391DBE-7AF1-4D74-9AA0-DBA4B971D298",
                    "versionEndExcluding": "4.1.3",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product."
          },
          {
            "lang": "es",
            "value": "La vulnerabilidad de cross-site scripting almacenado al procesar im\u00e1genes de perfil existe en las versiones de GROWI anteriores a la v4.1.3. Si se explota esta vulnerabilidad, se puede ejecutar un script arbitrario en el navegador web del usuario que accedi\u00f3 al sitio utilizando el producto."
          }
        ],
        "id": "CVE-2023-45740",
        "lastModified": "2024-01-04T17:11:01.707",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.3,
              "impactScore": 2.7,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2023-12-26T08:15:10.010",
        "references": [
          {
            "source": "vultures@jpcert.or.jp",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://jvn.jp/en/jp/JVN18715935/"
          },
          {
            "source": "vultures@jpcert.or.jp",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/"
          }
        ],
        "sourceIdentifier": "vultures@jpcert.or.jp",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-79"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

GHSA-G8W6-GHCH-W9W2

Vulnerability from github – Published: 2023-12-26 09:30 – Updated: 2025-04-23 18:30

Details

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-45740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-26T08:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.",
  "id": "GHSA-g8w6-ghch-w9w2",
  "modified": "2025-04-23T18:30:51Z",
  "published": "2023-12-26T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45740"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN18715935"
    },
    {
      "type": "WEB",
      "url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

JVNDB-2023-000123

Vulnerability from jvndb - Published: 2023-12-13 15:30 - Updated:2024-03-19 17:46

Severity ?

4.3 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Summary

Multiple vulnerabilities in GROWI

Details

GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.

Stored cross-site scripting vulnerability in the presentation feature (CWE-79) - CVE-2023-42436
Stored cross-site scripting vulnerability in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page (CWE-79) - CVE-2023-45737
Stored cross-site scripting vulnerability when processing profile images (CWE-79) - CVE-2023-45740
Cross-site request forgery vulnerability in the User settings (/me) page (CWE-352) - CVE-2023-46699
Stored cross-site scripting vulnerability exploiting a behavior of the XSS Filter (CWE-79) - CVE-2023-47215
Stored cross-site scripting vulnerability via the img tags (CWE-79) - CVE-2023-49119
Stored cross-site scripting vulnerability in the event handlers of the pre tags (CWE-79) - CVE-2023-49598
Stored cross-site scripting vulnerability in the anchor tag (CWE-79) - CVE-2023-49779
Stored cross-site scripting vulnerability when processing the MathJax (CWE-79) - CVE-2023-49807
Stored cross-site scripting vulnerability in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page (CWE-79) - CVE-2023-50175
Cleartext storage of sensitive information vulnerability in the App Settings (/admin/app) page's Secret access key (CWE-312) - CVE-2023-50294
Improper authorization in the User Management (/admin/users) page (CWE-285) - CVE-2023-50332
Stored cross-site scripting vulnerability in the User Management (/admin/users) page (CWE-79) - CVE-2023-50339

CVE-2023-42436 Kakeru Kajihara of NTT-ME System Operation Center reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-45737 Naoki Takayama of University of Tsukuba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-45740 Kanta Nishitani of GMO Cybersecurity by Ierae Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-46699 Norihide Saito reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-47215, CVE-2023-49779 Naoya Miyaguchi of Kanmu, Inc reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-49119 Naoki Takayama of University of Tsukuba, Suguru Itagaki of NTT-ME System Operation Center, and Norihide Saito of Flatt Security inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-49598 Naoya Miyaguchi of Kanmu, Inc, SHO ODAGIRI of GMO Cybersecurity by Ierae Inc., Tsubasa Fujii (@reinforchu), Eiji Mori of Flatt Security Inc., Shiga Takuma of BroadBand Security Inc., and Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-49807 Naoya Miyaguchi of Kanmu, Inc and Naoki Takayama of University of Tsukuba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-50175 Norihide Saito of Flatt Security inc., Naoya Miyaguchi of Kanmu, Inc, and Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2023-50294, CVE-2023-50332, CVE-2023-50339 Norihide Saito of Flatt Security inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN18715935/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-42436
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-45737
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-45740
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-46699
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-47215
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-49119
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-49598
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-49779
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-49807
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-50175
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-50294
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-50332
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-50339
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-42436
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-45737
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-45740
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-46699
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-47215
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-49119
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-49598
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-49779
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-49807
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-50175
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-50294
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-50332
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-50339
	Cross-Site Request Forgery(CWE-352)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

WESEEK, Inc.

GROWI

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000123.html",
  "dc:date": "2024-03-19T17:46+09:00",
  "dcterms:issued": "2023-12-13T15:30+09:00",
  "dcterms:modified": "2024-03-19T17:46+09:00",
  "description": "GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eStored cross-site scripting vulnerability in the presentation feature (CWE-79) - CVE-2023-42436\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page (CWE-79) - CVE-2023-45737\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability when processing profile images (CWE-79) - CVE-2023-45740\u003c/li\u003e\u003cli\u003eCross-site request forgery vulnerability in the User settings (/me) page (CWE-352) - CVE-2023-46699\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability exploiting a behavior of the XSS Filter (CWE-79) - CVE-2023-47215\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability via the img tags (CWE-79) - CVE-2023-49119\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the event handlers of the pre tags (CWE-79) - CVE-2023-49598\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the anchor tag (CWE-79) - CVE-2023-49779\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability when processing the MathJax (CWE-79) - CVE-2023-49807\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page (CWE-79) - CVE-2023-50175\u003c/li\u003e\u003cli\u003eCleartext storage of sensitive information vulnerability in the App Settings (/admin/app) page\u0027s Secret access key (CWE-312) - CVE-2023-50294\u003c/li\u003e\u003cli\u003eImproper authorization in the User Management (/admin/users) page (CWE-285) - CVE-2023-50332\u003c/li\u003e\u003cli\u003eStored cross-site scripting vulnerability in the User Management (/admin/users) page (CWE-79) - CVE-2023-50339\u003c/li\u003e\u003c/ul\u003e\r\nCVE-2023-42436\r\nKakeru Kajihara of NTT-ME System Operation Center reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-45737\r\nNaoki Takayama of University of Tsukuba reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-45740\r\nKanta Nishitani of GMO Cybersecurity by Ierae Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-46699\r\nNorihide Saito reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-47215, CVE-2023-49779\r\nNaoya Miyaguchi of Kanmu, Inc reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49119\r\nNaoki Takayama of University of Tsukuba, Suguru Itagaki of NTT-ME System Operation Center, and Norihide Saito of Flatt Security inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49598\r\nNaoya Miyaguchi of Kanmu, Inc, SHO ODAGIRI of GMO Cybersecurity by Ierae Inc., Tsubasa Fujii (@reinforchu), Eiji Mori of Flatt Security Inc., Shiga Takuma of BroadBand Security Inc., and Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-49807\r\nNaoya Miyaguchi of Kanmu, Inc and Naoki Takayama of University of Tsukuba reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-50175\r\nNorihide Saito of Flatt Security inc., Naoya Miyaguchi of Kanmu, Inc, and Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-50294, CVE-2023-50332, CVE-2023-50339\r\nNorihide Saito of Flatt Security inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000123.html",
  "sec:cpe": {
    "#text": "cpe:/a:weseek:growi",
    "@product": "GROWI",
    "@vendor": "WESEEK, Inc.",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "5.0",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
      "@version": "2.0"
    },
    {
      "@score": "4.3",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2023-000123",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN18715935/index.html",
      "@id": "JVN#18715935",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-42436",
      "@id": "CVE-2023-42436",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-45737",
      "@id": "CVE-2023-45737",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-45740",
      "@id": "CVE-2023-45740",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-46699",
      "@id": "CVE-2023-46699",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-47215",
      "@id": "CVE-2023-47215",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-49119",
      "@id": "CVE-2023-49119",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-49598",
      "@id": "CVE-2023-49598",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-49779",
      "@id": "CVE-2023-49779",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-49807",
      "@id": "CVE-2023-49807",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-50175",
      "@id": "CVE-2023-50175",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-50294",
      "@id": "CVE-2023-50294",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-50332",
      "@id": "CVE-2023-50332",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-50339",
      "@id": "CVE-2023-50339",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-42436",
      "@id": "CVE-2023-42436",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45737",
      "@id": "CVE-2023-45737",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45740",
      "@id": "CVE-2023-45740",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-46699",
      "@id": "CVE-2023-46699",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-47215",
      "@id": "CVE-2023-47215",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49119",
      "@id": "CVE-2023-49119",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49598",
      "@id": "CVE-2023-49598",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49779",
      "@id": "CVE-2023-49779",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49807",
      "@id": "CVE-2023-49807",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50175",
      "@id": "CVE-2023-50175",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50294",
      "@id": "CVE-2023-50294",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50332",
      "@id": "CVE-2023-50332",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50339",
      "@id": "CVE-2023-50339",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-352",
      "@title": "Cross-Site Request Forgery(CWE-352)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "Multiple vulnerabilities in GROWI"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-45740 (GCVE-0-2023-45740)

FKIE_CVE-2023-45740

GSD-2023-45740

GHSA-G8W6-GHCH-W9W2

JVNDB-2023-000123

Tags

Sightings

Nomenclature