CVE-2021-20667

Name of the Vulnerable Software and Affected Versions: GROWI versions v4.2.2 and earlier

Description: The issue is related to a stored cross-site scripting vulnerability due to inadequate Content Security Policy (CSP) configuration. This allows remote authenticated attackers to inject an arbitrary script via specially crafted content.

Recommendations: For GROWI versions v4.2.2 and earlier, update to a version that properly configures the Content Security Policy to prevent cross-site scripting attacks. As a temporary workaround, consider restricting access to sensitive areas of the application where user-generated content can be posted, to minimize the risk of exploitation.