The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page.
[
{
"vendor": "WESEEK, Inc.",
"product": "GROWI",
"versions": [
{
"version": "prior to v6.0.6",
"status": "affected"
}
]
}
]