Lucene search

Japan Vulnerability NotesJVN:18716340

HistoryAug 03, 2018 - 12:00 a.m.

JVN#18716340: Multiple cross-site scripting vulnerabilities in GROWI

2018-08-0300:00:00

Japan Vulnerability Notes

jvn.jp

532

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

41.4%

JSON

GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.

Stored cross-site scripting vulnerability in the UserGroup Management section of admin page (CWE-79) - CVE-2018-0652

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	Base Score: 5.5
CVSS v2	AV:N/AC:L/Au:S/C:N/I:P/A:N	Base Score: 4.0

Stored cross-site scripting vulnerability in Wiki page view (CWE-79) - CVE-2018-0653

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	Base Score: 6.4
CVSS v2	AV:N/AC:L/Au:S/C:N/I:P/A:N	Base Score: 4.0

Reflected cross-site scripting vulnerability in the modal for creating Wiki page (CWE-79) - CVE-2018-0654

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

Stored cross-site scripting in the app settings section of admin page (CWE-79) - CVE-2018-0655

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	Base Score: 5.5
CVSS v2	AV:N/AC:L/Au:S/C:N/I:P/A:N	Base Score: 4.0

Impact

An arbitrary script may be executed on a logged-in user’s web browser. - CVE-2018-0652, CVE-2018-0653
An arbitrary script may be executed on the user’s web browser. - CVE-2018-0654, CVE-2018-0655

Solution

Update the software
Update to the latest version according to the information provided by the developer.

Products Affected

GROWI v.3.1.11 and earlier

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

41.4%

JSON

Related for JVN:18716340