Olle Westrin

**Name of the Vulnerable Software and Affected Versions** WESEEK GROWI versions prior to 3.5.0 **Description** The issue allows site-wide basic authentication to be bypassed by adding a URL parameter `access token`. This parameter is used by the API, but no valid token is required because it is not validated by the backend. As a result, the website can be browsed as if no basic authentication is required. **Recommendations** For versions prior to 3.5.0, update to version 3.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `access token` parameter in the API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WESEEK GROWI versions prior to 3.5.0 **Description** A remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata. The password hash can be retrieved even though it is not a publicly available field. **Recommendations** For versions prior to 3.5.0, update to version 3.5.0 or later to resolve the issue.