Norihide Saito

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v6.1.11 **Description** A stored cross-site scripting issue exists in the User Management page (/admin/users) of GROWI. This issue can lead to the execution of an arbitrary script on the web browser of the user who accessed the site using the product. **Recommendations** For GROWI versions prior to v6.1.11, update to version v6.1.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the User Management page (/admin/users) to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v6.0.0 **Description** A cross-site request forgery (CSRF) issue exists in the User settings (/me) page. If a user views a malicious page while logged in, settings may be changed without the user's intention. The API endpoint `/me` is affected. **Recommendations** For versions prior to v6.0.0, update to version v6.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/me` page until a patch is available. Avoid using the `/me` page in a multi-tab browsing environment to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v6.0.0 **Description** A stored cross-site scripting issue exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page. This could allow an arbitrary script to be executed on the web browser of the user who accessed the site using the product. **Recommendations** For versions prior to v6.0.0, update to version v6.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /admin/app, /admin/markdown, and /admin/customize pages until a patch is applied. Avoid using these pages in production environments until the update is installed.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v6.0.6 **Description** The issue concerns the storage of sensitive information in cleartext form on the App Settings page, located at "/admin/app". This could allow an attacker with access to the page to obtain the Secret access key for an external service. **Recommendations** For versions prior to v6.0.6, update to version v6.0.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the App Settings page (/admin/app) to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v6.0.6 **Description** An improper authorization issue exists in the User Management page, specifically at the `/admin/users` endpoint. This issue can lead to unintended deletion or suspension of a user's account. **Recommendations** For versions prior to v6.0.6, update to version v6.0.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/admin/users` endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v4.2.3 GROWI versions prior to v4.1.12 GROWI v3 series and earlier **Description** The issue is caused by improper input validation, allowing remote attackers to cause a denial of service via unspecified vectors. **Recommendations** For GROWI versions prior to v4.2.3, update to version v4.2.3 or later. For GROWI versions prior to v4.1.12, update to version v4.1.12 or later. For GROWI v3 series and earlier, update to a version later than v3.

**Name of the Vulnerable Software and Affected Versions** GROWI versions 4.0.0 and earlier **Description** A reflected cross-site scripting issue allows remote attackers to inject arbitrary script via unspecified vectors. **Recommendations** For GROWI versions 4.0.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GROWI versions 3.8.1 and earlier **Description** The issue allows remote attackers to inject arbitrary script via unspecified vectors, which is a stored cross-site scripting vulnerability. **Recommendations** For GROWI versions 3.8.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GROWI versions 4.1.3 and earlier **Description** The issue allows remote attackers to obtain information that is not allowed to access via unspecified vectors. **Recommendations** For GROWI versions 4.1.3 and earlier, at the moment, there is no information about a newer version that contains a fix for this issue.