CVE-2023-46699

Name of the Vulnerable Software and Affected Versions GROWI versions prior to v6.0.0

Description A cross-site request forgery (CSRF) issue exists in the User settings (/me) page. If a user views a malicious page while logged in, settings may be changed without the user's intention. The API endpoint /me is affected.

Recommendations For versions prior to v6.0.0, update to version v6.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /me page until a patch is available. Avoid using the /me page in a multi-tab browsing environment to minimize the risk of exploitation.