Lucene search

[email protected]NVD:CVE-2023-50294

HistoryDec 26, 2023 - 8:15 a.m.

CVE-2023-50294

2023-12-2608:15:11

CWE-312

[email protected]

web.nvd.nist.gov

app settings

growi

sensitive information

cleartext

secret access key

external service

attacker access

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

18.3%

JSON

The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page.

Affected configurations

NVD

Node

weseekgrowiRange<6.0.6

References

jvn.jp/en/jp/JVN18715935/

weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

18.3%

JSON

Related for NVD:CVE-2023-50294

cve1 cvelist1 prion1 osv1 jvn1