Naoya Miyaguchi

**Name of the Vulnerable Software and Affected Versions** a-blog cms versions prior to 3.1.7 a-blog cms versions prior to 3.0.29 a-blog cms versions prior to 2.11.58 a-blog cms versions prior to 2.10.50 a-blog cms version 2.9.0 and earlier **Description** The issue is related to improper input validation, allowing a remote authenticated attacker to execute arbitrary code by uploading a specially crafted SVG file. **Recommendations** For versions prior to 3.1.7, update to version 3.1.7 or later. For versions prior to 3.0.29, update to version 3.0.29 or later. For versions prior to 2.11.58, update to version 2.11.58 or later. For versions prior to 2.10.50, update to version 2.10.50 or later. For version 2.9.0 and earlier, update to a later version. As a temporary workaround, consider restricting the upload of SVG files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v6.0.0 **Description** A stored cross-site scripting vulnerability exists, exploiting a behavior of the XSS Filter. If this issue is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product. **Recommendations** For versions prior to v6.0.0, update to version v6.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable areas of the application until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v6.0.0 **Description** A stored cross-site scripting issue exists in the event handlers of the `pre` tags. If exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product. **Recommendations** For GROWI versions prior to v6.0.0, update to version v6.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the event handlers of the `pre` tags until a patch is available. Restrict access to the `pre` tags to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v6.0.0 **Description** A stored cross-site scripting issue exists in the anchor tag of GROWI. If exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product. **Recommendations** For versions prior to v6.0.0, update to version v6.0.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the anchor tag in GROWI until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v6.0.0 **Description** A stored cross-site scripting issue exists when processing MathJax. This could allow an arbitrary script to be executed on the user's web browser if the vulnerability is exploited. **Recommendations** For versions prior to v6.0.0, update to version v6.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the MathJax processing feature until a patch is available. Restrict access to the MathJax module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v6.0.0 **Description** A stored cross-site scripting issue exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page. This could allow an arbitrary script to be executed on the web browser of the user who accessed the site using the product. **Recommendations** For versions prior to v6.0.0, update to version v6.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /admin/app, /admin/markdown, and /admin/customize pages until a patch is applied. Avoid using these pages in production environments until the update is installed.

Name of the Vulnerable Software and Affected Versions: GROWI versions 4.2.0 through 4.2.7 Description: The issue is related to a reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters. This allows remote attackers to inject an arbitrary script via unspecified vectors. Recommendations: For versions 4.2.0 through 4.2.7, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GROWI versions 4.2.0 through 4.2.7 Description: A stored cross-site scripting issue in the Admin Page of GROWI allows remote authenticated attackers to inject an arbitrary script via unspecified vectors. Recommendations: For versions 4.2.0 through 4.2.7, update to a version that contains a fix for this issue to prevent exploitation.