PT-2019-13273 · Weseek · Weseek Growi

Olle Westrin

Published

2019-07-09

Updated

2020-08-24

CVE-2019-13337

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions WESEEK GROWI versions prior to 3.5.0

Description The issue allows site-wide basic authentication to be bypassed by adding a URL parameter access token. This parameter is used by the API, but no valid token is required because it is not validated by the backend. As a result, the website can be browsed as if no basic authentication is required.

Recommendations For versions prior to 3.5.0, update to version 3.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the access token parameter in the API endpoint to minimize the risk of exploitation.

Fix

IDOR

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639CWE-863

Related Identifiers

CVE-2019-13337

Affected Products

Weseek Growi

PT-2019-13273 · Weseek · Weseek Growi

CVE-2019-13337

Weakness Enumeration

Related Identifiers

Affected Products

References · 3