PT-2023-31526 · Growi · Growi
Norihide Saito
·
Published
2023-12-26
·
Updated
2024-01-02
·
CVE-2023-50294
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
GROWI versions prior to v6.0.6
Description
The issue concerns the storage of sensitive information in cleartext form on the App Settings page, located at "/admin/app". This could allow an attacker with access to the page to obtain the Secret access key for an external service.
Recommendations
For versions prior to v6.0.6, update to version v6.0.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the App Settings page (/admin/app) to minimize the risk of exploitation.
Fix
Cleartext Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Growi