CVE-2019-13337

Name of the Vulnerable Software and Affected Versions WESEEK GROWI versions prior to 3.5.0

Description The issue allows site-wide basic authentication to be bypassed by adding a URL parameter access token. This parameter is used by the API, but no valid token is required because it is not validated by the backend. As a result, the website can be browsed as if no basic authentication is required.

Recommendations For versions prior to 3.5.0, update to version 3.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the access token parameter in the API endpoint to minimize the risk of exploitation.